Microsoft AI can detect security flaws with 99% accuracy

Developers can use the mechanism to establish whether bugs are security-related and assign a severity rating

Microsoft has released an artificial intelligence (AI)-powered tool to help developers categorise bugs and features that need to be addressed in forthcoming releases.

The software giant’s machine learning system classifies bugs as security or non-security with a 99% accuracy, and also determines whether a bug is critical or non-critical with a 97% accuracy rating.

Advertisement - Article continues below

With ambitions to build a system with a level of accuracy as close as possible to a security expert, Microsoft fed its machine learning model with bugs labelled as security and non-security. Once this was trained, it could then label data that was not pre-classified. 

“Every day, software developers stare down a long list of features and bugs that need to be addressed,” said Microsoft’s senior security program manager Scott Christiansen, and data and applied scientist Mayana Pereira. 

“Security professionals try to help by using automated tools to prioritize security bugs, but too often, engineers waste time on false positives or miss a critical security vulnerability that has been misclassified.

“At Microsoft, 47,000 developers generate nearly 30 thousand bugs a month. These items get stored across over 100 AzureDevOps and GitHub repositories. To better label and prioritize bugs at that scale, we couldn’t just apply more people to the problem. However, large volumes of semi-curated data are perfect for machine learning.”

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Because the system needs to be as accurate as a security expert, security professionals approved training data before this was fed into the machine learning model. Once the model was operational, they were brought back to evaluate the model in production.

The project began with data science and the collection of all data types and sources to evaluate quality. Security experts were then brought in to review the data and confirm the labels assigned were correct. 

Related Resource

Shifting toward Enterprise-grade AI

Resolving data and skills gaps to realise value

Download now

Data scientists then chose a modelling technique, trained the model, and evaluated performance. Finally, security experts evaluated the model in production by monitoring the average number of bugs and manually reviewing a random sample.

The mechanism uses a step-step machine learning model operation; first learning how to classify between security and non-security bugs and then to apply a severity rating.

As a result of the level of accuracy, Microsoft now believes it’s catching more security vulnerabilities before they are exploited in the wild.

Development teams can read details in a published academic paper, with the machine learning methodology set to be open-sourced through GitHub in the coming months. 

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement

Recommended

Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
Visit/security/vulnerability/355276/businesses-brace-for-second-fujiwhara-effect-of-2020-as-patch-tuesday
vulnerability

Businesses brace for second 'Fujiwhara effect' of 2020 as Patch Tuesday looms

9 Apr 2020

Most Popular

Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/security/data-breaches/355777/easyjet-faces-class-action-lawsuit-over-data-breach
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
Visit/security/cyber-security/355797/microsoft-bans-trend-micros-rootkit-buster-from-windows-10
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020