SPI: Automated Identification of Security Patches via Commits

Security patches in open source software, providing security fixes to identified vulnerabilities, are crucial in protecting against cyber attacks. Security advisories and announcements are often publicly released to inform the users about potential security vulnerability. Despite the National Vulnerability Database (NVD) publishes identified vulnerabilities, a vast majority of vulnerabilities and their corresponding security patches remain beyond public exposure, e.g., in the open source libraries that are heavily relied on by developers. As many of these patches exist in open sourced projects, the problem of curating and gathering security patches can be difficult due to their hidden nature. An extensive and complete security patches dataset could help end-users such as security companies, e.g., building a security knowledge base, or researcher, e.g., aiding in vulnerability research. To efficiently curate security patches including undisclosed patches at large scale and low cost, we propose a deep neural-network-based approach built upon commits of open source repositories. First, we design and build security patch datasets that include 38,291 security-related commits and 1,045 Common Vulnerabilities and Exposures (CVE) patches from four large-scale C programming language libraries. We manually verify each commit, among the 38,291 security-related commits, to determine if they are security related. We devise and implement a deep learning-based security patch identification system that consists of two composite neural networks: one commit-message neural network that utilizes pretrained word representations learned from our commits dataset and one code-revision neural network that takes code before revision and after revision and learns the distinction on the statement level. Our system leverages the power of the two networks for Security Patch Identification. Evaluation results show that our system significantly outperforms SVM and K-fold stacking algorithms. The result on the combined dataset achieves as high as 87.93% F1-score and precision of 86.24%. We deployed our pipeline and learned model in an industrial production environment to evaluate the generalization ability of our approach. The industrial dataset consists of 298,917 commits from 410 new libraries that range from a wide functionalities. Our experiment results and observation on the industrial dataset proved that our approach can identify security patches effectively among open sourced projects.

Digital Human Assets and Psycho-digital Risks. Concept and recommendations

Nowadays, 60% of humanity is digitally connected, implying the generation of data and content. In this sense, the objective of this article is to discuss the relationship between the concepts of Human Digital Assets and Psycho-digital Risks. The former comprises digital information linked to a person, and the latter is conceived as the potential danger arising from the interaction of people and organizations due to interaction with networked technologies without sufficient knowledge. Through a qualitative methodological approach and a documental research design, both concepts are addressed, in order to provide their identification, evaluation, and integration in the management of human digitization processes. This paper does not intend to formulate a methodology for its quantification, but rather to motivate and raise awareness of the need to rethink digital literacy in various interest groups. The conclusions allow reflecting on considering the basic aspects of both concepts, their relationship, and recommendations to be incorporated in organizations in order to minimize the risks generated in the digital space that affect our physical life.

Impact of changes in cartography and mapping on the selection of cartographic materials in New Zealand map libraries

<p>Changes to cartography and mapping in New Zealand have had impacts on map library identification, evaluation and selection of maps and other tools that convey spatial data. In semi-structured interviews, five map librarians gave their views on how changes to cartography and mapping affects the selection of cartographic materials. Data gathered from managers/technicians of geographic information systems laboratories were also used in the research. The results indicate that New Zealand's specialist map libraries are developing their collections and services to include electronic cartographic resources. This collection development tends not to be the result of forward looking collection policies that outline a vision and strategies for integrating hardcopy and electronic cartographic materials into collections and services. The results also indicate that map librarians are adapting their selection practices to cater for the special requirements of new cartographic information resources and to overcome some of the difficulties related to the reshaping of the mapping industry in New Zealand.</p>

Impact of changes in cartography and mapping on the selection of cartographic materials in New Zealand map libraries

<p>Changes to cartography and mapping in New Zealand have had impacts on map library identification, evaluation and selection of maps and other tools that convey spatial data. In semi-structured interviews, five map librarians gave their views on how changes to cartography and mapping affects the selection of cartographic materials. Data gathered from managers/technicians of geographic information systems laboratories were also used in the research. The results indicate that New Zealand's specialist map libraries are developing their collections and services to include electronic cartographic resources. This collection development tends not to be the result of forward looking collection policies that outline a vision and strategies for integrating hardcopy and electronic cartographic materials into collections and services. The results also indicate that map librarians are adapting their selection practices to cater for the special requirements of new cartographic information resources and to overcome some of the difficulties related to the reshaping of the mapping industry in New Zealand.</p>

Identification, Evaluation, and Classification of Building Failures

<p>The origin of this thesis was a long-standing interest in the performance of buildings in the years after completion, when the designers and builders have all moved onto the next new work. That interest grew as a result of conducting building surveys in the course of professional practice. The surveys often revealed incipient or actual building failures which required careful diagnosis to discover the cause, so that the failure could be prevented in future. For the knowledge gained from investigation and diagnosis to benefit the wider community, rather than merely the individuals concerned with one building, it became obvious that some system of objective and anonymous recording of the circumstances of each building failure was necessary. This thesis proposes a basis for identifying and evaluating building failures. Building failure is defined from the viewpoint of both the producer of the building and the user to ensure that it is the expectations of both that are considered when a building failure is being identified and evaluated. Identifying and evaluating building failures is a precursor to diagnosing the cause or causes of that failure. it is argued here that any evaluation of the causes of building failures must acknowledge the part played by natural causes as well as the part sometimes played by human error. It is also argued that placing emphasis on blame, and hence on legal liability, encourages universal denial of fault and works against the search for the truth. A system for classification of building failures by their causes is proposed as a means by which the knowledge gained from diagnosis of individual building failure events can be aggregated to reveal the pattern of failures in a sample of buildings. The results from applying the system of identifying, evaluating, and classifying building failures in a sample of New Zealand dwellings are presented. The main conclusion drawn from the work is that because natural causes are so difficult an influence to regulate, the best prospect for reducing the incidence of building failures is the avoidance of human error. Because human error can never be entirely discounted insurance against the risk of error is only wise. A second conclusion reached is that the proposed system of identifying, evaluating, and classifying building failures has been shown to produce useful results, even when the system has had only a written record from which to work.</p>

Modeling and Learning Constraints for Creative Tool Use

Improvisation is a hallmark of human creativity and serves a functional purpose in completing everyday tasks with novel resources. This is particularly exhibited in tool-using tasks: When the expected tool for a task is unavailable, humans often are able to replace the expected tool with an atypical one. As robots become more commonplace in human society, we will also expect them to become more skilled at using tools in order to accommodate unexpected variations of tool-using tasks. In order for robots to creatively adapt their use of tools to task variations in a manner similar to humans, they must identify tools that fulfill a set of task constraints that are essential to completing the task successfully yet are initially unknown to the robot. In this paper, we present a high-level process for tool improvisation (tool identification, evaluation, and adaptation), highlight the importance of tooltips in considering tool-task pairings, and describe a method of learning by correction in which the robot learns the constraints from feedback from a human teacher. We demonstrate the efficacy of the learning by correction method for both within-task and across-task transfer on a physical robot.

Identification, Evaluation, and Classification of Building Failures

<p>The origin of this thesis was a long-standing interest in the performance of buildings in the years after completion, when the designers and builders have all moved onto the next new work. That interest grew as a result of conducting building surveys in the course of professional practice. The surveys often revealed incipient or actual building failures which required careful diagnosis to discover the cause, so that the failure could be prevented in future. For the knowledge gained from investigation and diagnosis to benefit the wider community, rather than merely the individuals concerned with one building, it became obvious that some system of objective and anonymous recording of the circumstances of each building failure was necessary. This thesis proposes a basis for identifying and evaluating building failures. Building failure is defined from the viewpoint of both the producer of the building and the user to ensure that it is the expectations of both that are considered when a building failure is being identified and evaluated. Identifying and evaluating building failures is a precursor to diagnosing the cause or causes of that failure. it is argued here that any evaluation of the causes of building failures must acknowledge the part played by natural causes as well as the part sometimes played by human error. It is also argued that placing emphasis on blame, and hence on legal liability, encourages universal denial of fault and works against the search for the truth. A system for classification of building failures by their causes is proposed as a means by which the knowledge gained from diagnosis of individual building failure events can be aggregated to reveal the pattern of failures in a sample of buildings. The results from applying the system of identifying, evaluating, and classifying building failures in a sample of New Zealand dwellings are presented. The main conclusion drawn from the work is that because natural causes are so difficult an influence to regulate, the best prospect for reducing the incidence of building failures is the avoidance of human error. Because human error can never be entirely discounted insurance against the risk of error is only wise. A second conclusion reached is that the proposed system of identifying, evaluating, and classifying building failures has been shown to produce useful results, even when the system has had only a written record from which to work.</p>