Article (tiempo de lectura: 3 minuto)

Microsoft AI can detect security flaws with 99% accuracy

Microsoft has released an AI-powered tool to help developers categorize bugs and features that need to be addressed in forthcoming releases.

Larry Hau / Rackspace

Nota del editor:

Este trabajo de Microsoft representa una conexión significativa entre la inteligencia artificial (AI) y el mundo tecnológico práctico. Microsoft se está convirtiendo muy rápido en experto en la aplicación razonada de AI a problemas urgentes y reales. Dado su alcance de visibilidad en cuestiones de seguridad que van desde los núcleos básicos hasta la capa de aplicación, las empresas de software están muy bien posicionadas para tomar la iniciativa en materia de seguridad, y esto reafirma esa ventaja.

Estos servicios son precisamente el motivo por el que los proveedores de la nube pública están tan adelantados. Las empresas grandes pueden combinar la experiencia de diversas áreas dentro de sus vastos negocios y producir capacidades únicas que otros simplemente no pueden replicar. Esto no es nada nuevo, pero debería servir como un recordatorio de que la especialización es el camino a seguir, ya que la infraestructura y los servicios relacionados se masifican de forma constante. Aproveche estos servicios, en lugar de desarrollarlos por su cuenta, y use el tiempo extra para diseñar capacidades diferenciadas dentro de su industria.

- Larry

Microsoft has released an artificial intelligence (AI)-powered tool to help developers categorise bugs and features that need to be addressed in forthcoming releases.

The software giant's machine learning system classifies bugs as security or non-security with a 99% accuracy, and also determines whether a bug is critical or non-critical with a 97% accuracy rating.

With ambitions to build a system with a level of accuracy as close as possible to a security expert, Microsoft fed its machine learning model with bugs labelled as security and non-security. Once this was trained, it could then label data that was not pre-classified.

"Every day, software developers stare down a long list of features and bugs that need to be addressed," said Microsoft’s senior security program manager Scott Christiansen, and data and applied scientist Mayana Pereira.

"Security professionals try to help by using automated tools to prioritize security bugs, but too often, engineers waste time on false positives or miss a critical security vulnerability that has been misclassified.

"At Microsoft, 47,000 developers generate nearly 30 thousand bugs a month. These items get stored across over 100 AzureDevOps and GitHub repositories. To better label and prioritize bugs at that scale, we couldn’t just apply more people to the problem. However, large volumes of semi-curated data are perfect for machine learning."

Because the system needs to be as accurate as a security expert, security professionals approved training data before this was fed into the machine learning model. Once the model was operational, they were brought back to evaluate the model in production.

The project began with data science and the collection of all data types and sources to evaluate quality. Security experts were then brought in to review the data and confirm the labels assigned were correct.

Data scientists then chose a modelling technique, trained the model, and evaluated performance. Finally, security experts evaluated the model in production by monitoring the average number of bugs and manually reviewing a random sample.

The mechanism uses a step-step machine learning model operation; first learning how to classify between security and non-security bugs and then to apply a severity rating.

As a result of the level of accuracy, Microsoft now believes it’s catching more security vulnerabilities before they are exploited in the wild.

Development teams can read details in a published academic paper, with the machine learning methodology set to be open-sourced through GitHub in the coming months.

This article was written by Keumars Afifi-Sabet from Cloud Pro and was legally licensed through the NewsCred publisher network. Please direct all licensing questions to legal@newscred.com.

Únase a la conversación: encuentre Solve en Twitter and LinkedIn, o síganos en RSS.

Acerca del autor

Senior Product Manager, Unassisted Acquisition, EcommerceLarry Hau

Larry has worked in the cloud since 2012 on every major cloud provider.  He’s run the gamut of support teams to operations teams to engineering teams and managed infrastructures of nearly 200,000 nodes, around the world and around the clock...

Más