Microsoft found that pairing machine learning models with security experts significantly improves the identification and classification of security bugs.
To cope with the overwhelming amount of bugs developers create, Microsoft has built a machine learning model to correctly distinguish and prioritize security-related bugs.
Microsoft developers create about 30,000 bugs a month, but the vast majority are not security-related. However, there are ones that require immediate action, which is why Microsoft is applying machine learning, to reduce the time it takes to identify these bugs.
“Too often, engineers waste time on false positives or miss a critical security vulnerability that has been misclassified,” said Scott Christiansen and Mayana Pereira in a company blog post.
“To tackle this problem data science and security teams came together to explore how machine learning could help. We discovered that by pairing machine learning models with security experts, we can significantly improve the identification and classification of security bugs.”
According to Microsoft, the model is already highly accurate. It has 99 percent accuracy at distinguishing between non-security and security bugs, and 97 percent accuracy at identifying critical security bugs.
To train the model, Microsoft fed it 13 million work items and bugs it has collected since 2001. It then had data scientists and security researchers fine-tune the model until it was able to identify the bugs as accurately as a security expert.
Microsoft will continue to use security experts to ensure the model does not miss any unfamiliar bugs. They will also approve all changes or additions data scientists feed into the model.
It will share the model’s methodology on Github in the coming months.