Skip to main content

Shifting Left for Machine Learning: An Empirical Study of Security Weaknesses in Supervised Learning-based Projects...

by Farzana Bhuiyan, Stacy J Prowell, Hossain Shahriar, Fan Wu, Akond Rahman
Publication Type
Conference Paper
Book Title
2022 IEEE 46th Annual Computers, Software, and Applications Conference (COMPSAC)
Publication Date
Page Numbers
798 to 808
Publisher Location
New Jersey, United States of America
Conference Name
Annual Computers, Software, and Applications Conference (COMPSAC)
Conference Location
Virtual, Italy
Conference Sponsor
Conference Date

Context: Supervised learning-based projects (SLPs), i.e., software projects that use supervised learning algorithms, such as decision trees are useful for performing classification-related tasks. Yet, security weaknesses, such as the use of hard-coded passwords in SLPs, can make SLPs susceptible to security attacks. A characterization of security weaknesses in SLPs can help practitioners understand the security weaknesses that are frequent in SLPs and adopt adequate mitigation strategies. Objective: The goal of this paper is to help practitioners se-curely develop supervised learning-based projects by conducting an empirical study of security weaknesses in supervised learning-based projects. Methodology: We conduct an empirical study by quantifying the frequency of security weaknesses in 278 open source SLPs. Results: We identify 22 types of security weaknesses that occur in SLPs. We observe ‘use of potentially dangerous function’ to be the most frequently occurring security weakness in SLPs. Of the identified 3,964 security weaknesses, 23.79 % and 40.49 % respectively, appear for source code files used to train and test models. We also observe evidence of co-location, e.g., instances of command injection co-locates with instances of potentially dangerous function. Conclusion: Based on our findings, we advocate for a shift left approach for SLP development with security-focused code reviews, and application of security static analysis.