Question–Answer Methodology for Vulnerable Source Code Review via Prototype-Based Model-Agnostic Meta-Learning
In cybersecurity, identifying and addressing vulnerabilities in source code is essential for maintaining secure IT environments. Traditional static and dynamic analysis techniques, although widely used, often exhibit high false-positive rates, elevated costs, and limited interpretability. Machine Le...
Saved in:
| Main Authors: | , , , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2025-01-01
|
| Series: | Future Internet |
| Subjects: | |
| Online Access: | https://www.mdpi.com/1999-5903/17/1/33 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1832588425616687104 |
|---|---|
| author | Pablo Corona-Fraga Aldo Hernandez-Suarez Gabriel Sanchez-Perez Linda Karina Toscano-Medina Hector Perez-Meana Jose Portillo-Portillo Jesus Olivares-Mercado Luis Javier García Villalba |
| author_facet | Pablo Corona-Fraga Aldo Hernandez-Suarez Gabriel Sanchez-Perez Linda Karina Toscano-Medina Hector Perez-Meana Jose Portillo-Portillo Jesus Olivares-Mercado Luis Javier García Villalba |
| author_sort | Pablo Corona-Fraga |
| collection | DOAJ |
| description | In cybersecurity, identifying and addressing vulnerabilities in source code is essential for maintaining secure IT environments. Traditional static and dynamic analysis techniques, although widely used, often exhibit high false-positive rates, elevated costs, and limited interpretability. Machine Learning (ML)-based approaches aim to overcome these limitations but encounter challenges related to scalability and adaptability due to their reliance on large labeled datasets and their limited alignment with the requirements of secure development teams. These factors hinder their ability to adapt to rapidly evolving software environments. This study proposes an approach that integrates Prototype-Based Model-Agnostic Meta-Learning(Proto-MAML) with a Question-Answer (QA) framework that leverages the Bidirectional Encoder Representations from Transformers (BERT) model. By employing Few-Shot Learning (FSL), Proto-MAML identifies and mitigates vulnerabilities with minimal data requirements, aligning with the principles of the Secure Development Lifecycle (SDLC) and Development, Security, and Operations (DevSecOps). The QA framework allows developers to query vulnerabilities and receive precise, actionable insights, enhancing its applicability in dynamic environments that require frequent updates and real-time analysis. The model outputs are interpretable, promoting greater transparency in code review processes and enabling efficient resolution of emerging vulnerabilities. Proto-MAML demonstrates strong performance across multiple programming languages, achieving an average precision of <inline-formula><math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><semantics><mrow><mn>98.49</mn><mo>%</mo></mrow></semantics></math></inline-formula>, recall of <inline-formula><math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><semantics><mrow><mn>98.54</mn><mo>%</mo></mrow></semantics></math></inline-formula>, F1-score of <inline-formula><math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><semantics><mrow><mn>98.78</mn><mo>%</mo></mrow></semantics></math></inline-formula>, and exact match rate of <inline-formula><math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><semantics><mrow><mn>98.78</mn><mo>%</mo></mrow></semantics></math></inline-formula> in PHP, Java, C, and C++. |
| format | Article |
| id | doaj-art-8b29c16d179849a2a647b4e2dc61bfa5 |
| institution | Kabale University |
| issn | 1999-5903 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Future Internet |
| spelling | doaj-art-8b29c16d179849a2a647b4e2dc61bfa52025-01-24T13:33:37ZengMDPI AGFuture Internet1999-59032025-01-011713310.3390/fi17010033Question–Answer Methodology for Vulnerable Source Code Review via Prototype-Based Model-Agnostic Meta-LearningPablo Corona-Fraga0Aldo Hernandez-Suarez1Gabriel Sanchez-Perez2Linda Karina Toscano-Medina3Hector Perez-Meana4Jose Portillo-Portillo5Jesus Olivares-Mercado6Luis Javier García Villalba7Centro de Investigación e Innovación en Tecnologías de la Información y Comunicación, Avenida San Fernando No. 37, Colonia Toriello Guerra, Delegación Tlalpan, Mexico City 14050, MexicoInstituto Politecnico Nacional, ESIME Culhuacan, Mexico City 04440, MexicoInstituto Politecnico Nacional, ESIME Culhuacan, Mexico City 04440, MexicoInstituto Politecnico Nacional, ESIME Culhuacan, Mexico City 04440, MexicoInstituto Politecnico Nacional, ESIME Culhuacan, Mexico City 04440, MexicoInstituto Politecnico Nacional, ESIME Culhuacan, Mexico City 04440, MexicoInstituto Politecnico Nacional, ESIME Culhuacan, Mexico City 04440, MexicoGroup of Analysis, Security and Systems (GASS), Department of Software Engineering and Artificial Intelligence (DISIA), Faculty of Computer Science and Engineering, Office 431, Universidad Complutense de Madrid (UCM), Calle Profesor José García Santesmases, 9, Ciudad Universitaria, 28040 Madrid, SpainIn cybersecurity, identifying and addressing vulnerabilities in source code is essential for maintaining secure IT environments. Traditional static and dynamic analysis techniques, although widely used, often exhibit high false-positive rates, elevated costs, and limited interpretability. Machine Learning (ML)-based approaches aim to overcome these limitations but encounter challenges related to scalability and adaptability due to their reliance on large labeled datasets and their limited alignment with the requirements of secure development teams. These factors hinder their ability to adapt to rapidly evolving software environments. This study proposes an approach that integrates Prototype-Based Model-Agnostic Meta-Learning(Proto-MAML) with a Question-Answer (QA) framework that leverages the Bidirectional Encoder Representations from Transformers (BERT) model. By employing Few-Shot Learning (FSL), Proto-MAML identifies and mitigates vulnerabilities with minimal data requirements, aligning with the principles of the Secure Development Lifecycle (SDLC) and Development, Security, and Operations (DevSecOps). The QA framework allows developers to query vulnerabilities and receive precise, actionable insights, enhancing its applicability in dynamic environments that require frequent updates and real-time analysis. The model outputs are interpretable, promoting greater transparency in code review processes and enabling efficient resolution of emerging vulnerabilities. Proto-MAML demonstrates strong performance across multiple programming languages, achieving an average precision of <inline-formula><math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><semantics><mrow><mn>98.49</mn><mo>%</mo></mrow></semantics></math></inline-formula>, recall of <inline-formula><math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><semantics><mrow><mn>98.54</mn><mo>%</mo></mrow></semantics></math></inline-formula>, F1-score of <inline-formula><math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><semantics><mrow><mn>98.78</mn><mo>%</mo></mrow></semantics></math></inline-formula>, and exact match rate of <inline-formula><math xmlns="http://www.w3.org/1998/Math/MathML" display="inline"><semantics><mrow><mn>98.78</mn><mo>%</mo></mrow></semantics></math></inline-formula> in PHP, Java, C, and C++.https://www.mdpi.com/1999-5903/17/1/33question–answer methodologyvulnerable source code reviewprototype-based learningmodel-agnostic meta-learningProto-MAMLcode vulnerability detection |
| spellingShingle | Pablo Corona-Fraga Aldo Hernandez-Suarez Gabriel Sanchez-Perez Linda Karina Toscano-Medina Hector Perez-Meana Jose Portillo-Portillo Jesus Olivares-Mercado Luis Javier García Villalba Question–Answer Methodology for Vulnerable Source Code Review via Prototype-Based Model-Agnostic Meta-Learning Future Internet question–answer methodology vulnerable source code review prototype-based learning model-agnostic meta-learning Proto-MAML code vulnerability detection |
| title | Question–Answer Methodology for Vulnerable Source Code Review via Prototype-Based Model-Agnostic Meta-Learning |
| title_full | Question–Answer Methodology for Vulnerable Source Code Review via Prototype-Based Model-Agnostic Meta-Learning |
| title_fullStr | Question–Answer Methodology for Vulnerable Source Code Review via Prototype-Based Model-Agnostic Meta-Learning |
| title_full_unstemmed | Question–Answer Methodology for Vulnerable Source Code Review via Prototype-Based Model-Agnostic Meta-Learning |
| title_short | Question–Answer Methodology for Vulnerable Source Code Review via Prototype-Based Model-Agnostic Meta-Learning |
| title_sort | question answer methodology for vulnerable source code review via prototype based model agnostic meta learning |
| topic | question–answer methodology vulnerable source code review prototype-based learning model-agnostic meta-learning Proto-MAML code vulnerability detection |
| url | https://www.mdpi.com/1999-5903/17/1/33 |
| work_keys_str_mv | AT pablocoronafraga questionanswermethodologyforvulnerablesourcecodereviewviaprototypebasedmodelagnosticmetalearning AT aldohernandezsuarez questionanswermethodologyforvulnerablesourcecodereviewviaprototypebasedmodelagnosticmetalearning AT gabrielsanchezperez questionanswermethodologyforvulnerablesourcecodereviewviaprototypebasedmodelagnosticmetalearning AT lindakarinatoscanomedina questionanswermethodologyforvulnerablesourcecodereviewviaprototypebasedmodelagnosticmetalearning AT hectorperezmeana questionanswermethodologyforvulnerablesourcecodereviewviaprototypebasedmodelagnosticmetalearning AT joseportilloportillo questionanswermethodologyforvulnerablesourcecodereviewviaprototypebasedmodelagnosticmetalearning AT jesusolivaresmercado questionanswermethodologyforvulnerablesourcecodereviewviaprototypebasedmodelagnosticmetalearning AT luisjaviergarciavillalba questionanswermethodologyforvulnerablesourcecodereviewviaprototypebasedmodelagnosticmetalearning |