Shengyi Pan,Lingfeng Bao,Jiayuan Zhou,Xing Hu,Xin Xia,Shanping Li

DOI: https://doi.org/10.1145/3597503.3639110

2024-01-01

Abstract:It is increasingly suggested to identify emerging software vulner-abilities (SVs) through relevant development activities (e.g., issue reports) to allow early warnings to open source software (OSS) users. However, the support for the following assessment of the de-tected SVs has not yet been explored. SV assessment characterizes the detected SVs to prioritize limited remediation resources on the critical ones. To fill this gap, we aim to enable early vulnerability assessment based on SV-related issue reports (SIR). Besides, we observe the following concerns of the existing assessment techniques: 1) the assessment output lacks rationale and practical value; 2) the associations between Common Vulnerability Scoring System (CVSS) metrics have been ignored; 3) insufficient evaluation sce-narios and metrics. We address these concerns to enhance the prac-ticality of our proposed early vulnerability assessment approach (namely proEVA). Specifically, based on the observation of strong associations between CVSS metrics, we propose a prompt-based model to exploit such relations for CVSS metrics prediction. More-over, we design a curriculum-learning (CL) schedule to guide the model better learn such hidden associations during training. Aside from the standard classification metrics adopted in existing works, we propose two severity-aware metrics to provide a more compre-hensive evaluation regarding the prioritization of the high-severe SVs. Experimental results show that proEVA significantly outper-forms the baselines in both types of metrics. We further discuss the transferability of the prediction model regarding the upgrade of the assessment system, an important yet overlooked evaluation scenario in existing works. The results verify that proEVA is more efficient and flexible in migrating to different assessment systems.

Qiuyuan Chen,Lingfeng Bao,Li Li,Xin Xia,Liang Cai

DOI: https://doi.org/10.1109/APSEC.2018.00049

2018-01-01

Abstract:To share vulnerability information across separate databases, tools, and services, newly identified vulnerabilities are recurrently reported to Common Vulnerabilities and Exposures (CVE) database.Unfortunately, not all vulnerability reports will be accepted. Some of them might get rejected or be accepted with disputations.In this work, we refer to those rejected or disputed CVEs as invalid vulnerability reports. Invalid vulnerability reports not only cause unnecessary efforts to confirm the vulnerability but also impact the reputation of the software vendors. In this paper, we aim to understand the root causes of invalid vulnerability reports and build a prediction model to automatically identify them.To this end, we first leverage card sorting to categorize invalid vulnerability reports, from which six main reasons are observed for rejected and disputed CVEs, respectively.Then, we propose a text mining approach to predict the invalid vulnerability reports. Our experiments reveal that the proposed text mining approach can achieve an AUC score of 0.87 for predicting invalid vulnerabilities. We also discuss the implications of our study: our categorization can be used to guide new committer to avoid these traps; some root causes of invalid CVEs can be avoided by using automatic techniques or optimizing reviewing mechanism; invalid vulnerability reports data should not be neglected.

Shengyi Pan,Lingfeng Bao,Xin Xia,David Lo,Shanping Li

DOI: https://doi.org/10.1109/icse48619.2023.00088

2023-01-01

Abstract:Identifying security patches via code commits to allow early warnings and timely fixes for Open Source Software (OSS) has received increasing attention. However, the existing detection methods can only identify the presence of a patch (i.e., a binary classification) but fail to pinpoint the vulnerability type. In this work, we take the first step to categorize the security patches into fine-grained vulnerability types. Specifically, we use the Common Weakness Enumeration (CWE) as the label and perform fine-grained classification using categories at the third level of the CWE tree. We first formulate the task as a Hierarchical Multi-label Classification (HMC) problem, i.e., inferring a path (a sequence of CWE nodes) from the root of the CWE tree to the node at the target depth. We then propose an approach named TREEVUL with a hierarchical and chained architecture, which manages to utilize the structure information of the CWE tree as prior knowledge of the classification task. We further propose a tree structure aware and beam search based inference algorithm for retrieving the optimal path with the highest merged probability. We collect a large security patch dataset from NVD, consisting of 6,541 commits from 1,560 GitHub OSS repositories. Experimental results show that TREEVUL significantly outperforms the best performing baselines, with improvements of 5.9%, 25.0%, and 7.7% in terms of weighted F1-score, macro F1-score, and MCC, respectively. We further conduct a user study and a case study to verify the practical value of TREEVUL in enriching the binary patch detection results and improving the data quality of NVD, respectively.

Yaming Tang,Fei Zhao,Yibiao Yang,Hongmin Lu,Yuming Zhou,Baowen Xu

DOI: https://doi.org/10.1109/QRS.2015.15

2015-01-01

Abstract:In order to identify vulnerable software components, developers can take software metrics as predictors or use text mining techniques to build vulnerability prediction models. A recent study reported that text mining based models have higher recall than software metrics based models. However, this conclusion was drawn without considering the sizes of individual components which affects the code inspection effort to determine whether a component is vulnerable. In this paper, we investigate the predictive power of these two kinds of prediction models in the context of effort-aware vulnerability prediction. To this end, we use the same data sets, containing 223 vulnerabilities found in three web applications, to build vulnerability prediction models. The experimental results show that: (1) in the context of effort-aware ranking scenario, text mining based models only slightly outperform software metrics based models, (2) in the context of effort-aware classification scenario, text mining based models perform similarly to software metrics based models in most cases, and (3) most of the effect sizes (i.e. the magnitude of the differences) between these two kinds of models are trivial. These results suggest that, from the viewpoint of practical application, software metrics based models are comparable to text mining based models. Therefore, for developers, software metrics based models are practical choices for vulnerability prediction, as the cost to build and apply these models is much lower.

Aram Hovsepyan,Riccardo Scandariato,Wouter Joosen,James Walden

DOI: https://doi.org/10.1145/2372225.2372230

2012-01-01

Abstract:Early identification of software vulnerabilities is essential in software engineering and can help reduce not only costs, but also prevent loss of reputation and damaging litigations for a software firm. Techniques and tools for software vulnerability prediction are thus invaluable. Most of the existing techniques rely on using component characteristic(s) (like code complexity, code churn) for the vulnerability prediction. In this position paper, we present a novel approach for vulnerability prediction that leverages on the analysis of raw source code as text, instead of using "cooked" features. Our initial results seem to be very promising as the prediction model achieves an average accuracy of 0.87, precision of 0.85 and recall of 0.88 on 18 versions of a large mobile application.

Yun Zhang,David Lo,Xin Xia,Jianling Sun

DOI: https://doi.org/10.1007/s11704-017-6015-y

IF: 2.6688

2018-01-01

Frontiers of Computer Science

Abstract:To facilitate developers in effective allocation of their testing and debugging efforts, many software defect prediction techniques have been proposed in the literature. These techniques can be used to predict classes that are more likely to be buggy based on the past history of classes, methods, or certain other code elements. These techniques are effective provided that a sufficient amount of data is available to train a prediction model. However, sufficient training data are rarely available for new software projects. To resolve this problem, cross-project defect prediction, which transfers a prediction model trained using data from one project to another, was proposed and is regarded as a new challenge in the area of defect prediction. Thus far, only a few cross-project defect prediction techniques have been proposed. To advance the state of the art, in this study, we investigated seven composite algorithms that integrate multiple machine learning classifiers to improve cross-project defect prediction. To evaluate the performance of the composite algorithms, we performed experiments on 10 open-source software systems from the PROMISE repository, which contain a total of 5,305 instances labeled as defective or clean. We compared the composite algorithms with the combined defect predictor where logistic regression is used as the meta classification algorithm (CODEP (Logistic) ), which is the most recent cross-project defect prediction algorithm in terms of two standard evaluation metrics: cost effectiveness and F-measure. Our experimental results show that several algorithms outperform CODEP (Logistic) : Maximum voting shows the best performance in terms of F-measure and its average F-measure is superior to that of CODEP (Logistic) by 36.88%. Bootstrap aggregation (Bagging (J48)) shows the best performance in terms of cost effectiveness and its average cost effectiveness is superior to that of CODEP (Logistic) by 15.34%.

Benjamin L. Bullough,Anna K. Yanchenko,Christopher L. Smith,Joseph R. Zipkin

DOI: https://doi.org/10.1145/3041008.3041009

2017-07-25

Abstract:Each year, thousands of software vulnerabilities are discovered and reported to the public. Unpatched known vulnerabilities are a significant security risk. It is imperative that software vendors quickly provide patches once vulnerabilities are known and users quickly install those patches as soon as they are available. However, most vulnerabilities are never actually exploited. Since writing, testing, and installing software patches can involve considerable resources, it would be desirable to prioritize the remediation of vulnerabilities that are likely to be exploited. Several published research studies have reported moderate success in applying machine learning techniques to the task of predicting whether a vulnerability will be exploited. These approaches typically use features derived from vulnerability databases (such as the summary text describing the vulnerability) or social media posts that mention the vulnerability by name. However, these prior studies share multiple methodological shortcomings that inflate predictive power of these approaches. We replicate key portions of the prior work, compare their approaches, and show how selection of training and test data critically affect the estimated performance of predictive models. The results of this study point to important methodological considerations that should be taken into account so that results reflect real-world utility.

Cryptography and Security,Applications,Machine Learning

Xiansheng Cao,Junfeng Wang,Peng Wu,Zhiyang Fang

DOI: https://doi.org/10.1049/2024/4313185

2024-03-22

IET Information Security

Abstract:Source code vulnerabilities are one of the significant threats to software security. Existing deep learning-based detection methods have proven their effectiveness. However, most of them extract code information on a single intermediate representation of code (IRC), which often fails to extract multiple information hidden in the code fully, significantly limiting their performance. To address this problem, we propose VulMPFF, a vulnerability detection method that fuses code features under multiple perspectives. It extracts IRC from three perspectives: code sequence, lexical and syntactic relations, and graph structure to capture the vulnerability information in the code, which effectively realizes the complementary information of multiple IRCs and improves vulnerability detection performance. Specifically, VulMPFF extracts serialized abstract syntax tree as IRC from code sequence, lexical and syntactic relation perspective, and code property graph as IRC from graph structure perspective, and uses Bi-LSTM model with attention mechanism and graph neural network with attention mechanism to learn the code features from multiple perspectives and fuse them to detect the vulnerabilities in the code, respectively. We design a dual-attention mechanism to highlight critical code information for vulnerability triggering and better accomplish the vulnerability detection task. We evaluate our approach on three datasets. Experiments show that VulMPFF outperforms existing state-of-the-art vulnerability detection methods (i.e., Rats, FlawFinder, VulDeePecker, SySeVR, Devign, and Reveal) in Acc and F1 score, with improvements ranging from 14.71% to 145.78% and 152.08% to 344.77%, respectively. Meanwhile, experiments in the open-source project demonstrate that VulMPFF has the potential to detect vulnerabilities in real-world environments.

computer science, information systems, theory & methods

Esma Mouine,Yan Liu,Lu Xiao,Rick Kazman,Xiao Wang

2024-06-06

Abstract:There is an increasing trend to mine vulnerabilities from software repositories and use machine learning techniques to automatically detect software vulnerabilities. A fundamental but unresolved research question is: how do different factors in the mining and learning process impact the accuracy of identifying vulnerabilities in software projects of varying characteristics? Substantial research has been dedicated in this area, including source code static analysis, software repository mining, and NLP-based machine learning. However, practitioners lack experience regarding the key factors for building a baseline model of the state-of-the-art. In addition, there lacks of experience regarding the transferability of the vulnerability signatures from project to project. This study investigates how the combination of different vulnerability features and three representative machine learning models impact the accuracy of vulnerability detection in 17 real-world projects. We examine two types of vulnerability representations: 1) code features extracted through NLP with varying tokenization strategies and three different embedding techniques (bag-of-words, word2vec, and fastText) and 2) a set of eight architectural metrics that capture the abstract design of the software systems. The three machine learning algorithms include a random forest model, a support vector machines model, and a residual neural network model. The analysis shows a recommended baseline model with signatures extracted through bag-of-words embedding, combined with the random forest, consistently increases the detection accuracy by about 4% compared to other combinations in all 17 projects. Furthermore, we observe the limitation of transferring vulnerability signatures across domains based on our experiments.

Software Engineering,Artificial Intelligence

Chongyang Liu,Xiang Chen,Xiangwei Li,Yinxing Xue

DOI: https://doi.org/10.1016/j.infsof.2024.107458

IF: 3.9

2024-07-01

Information and Software Technology

Abstract:Context: Due to the prevalence of software vulnerabilities, vulnerability detection becomes a fundamental problem in system security. Objective: To solve this problem, academics and industries have made great efforts to propose deep-learning-based (DL-based) approaches but these attempts have three main limitations: (1) perform poorly on real-world projects (e.g., Accuracy below 74.33% and F1 below 73.55%); (2) perform poorly in catching vulnerable patterns due to incomplete code representations; (3) mostly perform coarse-grained function-level prediction and lack interpretability analysis. Methods: In this paper, we propose VulPCL, a BLSTM and CodeBERT based approach, which makes the first attempt to perform vulnerability prediction, categorization, and localization automatically within a framework. To alleviate the above-mentioned limitations, our VulPCL considers multi-dimension (i.e., text-based, sequence-based, and graph-based) representations to catch latent vulnerable patterns and multi-model training to learn high-level semantics. Results: Through experiments on four real-world datasets containing 114+ CWE (Common Weakness Enumeration) types spanning from 2005 to 2022, we find that our VulPCL outperforms the baselines by (1) 13.51% ∼ 60.64% and 14.34% ∼ 180.23% on Accuracy, and F1 respectively on vulnerability prediction; (2) 10.32% ∼ 46.79%, and 10.71% ∼ 127.80% on Accuracy, and macro-F1 respectively on vulnerability categorization; (3) 9.23% ∼ 36.54% on Top-10 Accuracy on vulnerability localization. Conclusion: These results indicate that our VulPCL is considerably more accurate, effective, fine-grained, and practical than previous studies. Besides, our further analyses show that VulPCL is indeed capable of capturing all vulnerability lines, and the result of line-level vulnerability localization is consistent with the function-level vulnerability prediction as the increase of predicted lines. Thus making VulPCL more interpretable than previous studies. Our additional investigation also shows that VulPCL effectively detects the Most Dangerous 25 CWEs in 2022, which is instructive for security researchers.

computer science, information systems, software engineering

Yuejun Guo,Constantinos Patsakis,Qiang Hu,Qiang Tang,Fran Casino

2024-08-29

Abstract:The significant increase in software production driven by automation and faster development lifecycles has resulted in a corresponding surge in software vulnerabilities. In parallel, the evolving landscape of software vulnerability detection, highlighting the shift from traditional methods to machine learning and large language models (LLMs), provides massive opportunities at the cost of resource-demanding computations. This paper thoroughly analyses LLMs' capabilities in detecting vulnerabilities within source code by testing models beyond their usual applications to study their potential in cybersecurity tasks. We evaluate the performance of six open-source models that are specifically trained for vulnerability detection against six general-purpose LLMs, three of which were further fine-tuned on a dataset that we compiled. Our dataset, alongside five state-of-the-art benchmark datasets, were used to create a pipeline to leverage a binary classification task, namely classifying code into vulnerable and non-vulnerable. The findings highlight significant variations in classification accuracy across benchmarks, revealing the critical influence of fine-tuning in enhancing the detection capabilities of small LLMs over their larger counterparts, yet only in the specific scenarios in which they were trained. Further experiments and analysis also underscore the issues with current benchmark datasets, particularly around mislabeling and their impact on model training and performance, which raises concerns about the current state of practice. We also discuss the road ahead in the field suggesting strategies for improved model training and dataset curation.

Cryptography and Security

Napier, Kollin,Wang, Shaowei

DOI: https://doi.org/10.1007/s10664-022-10276-6

IF: 3.762

2023-02-04

Empirical Software Engineering

Abstract:With an increase in complexity and severity, it is becoming harder to identify and mitigate vulnerabilities. Although traditional tools remain useful, machine learning models are being adopted to expand efforts. To help explore methods of vulnerability detection, we present an empirical study on the effectiveness of text-based machine learning models by utilizing 344 open-source projects, 2,182 vulnerabilities and 38 vulnerability types. With the availability of vulnerabilities being presented in forms such as code snippets, we construct a methodology based on extracted source code functions and create equal pairings. We conduct experiments using seven machine learning models, five natural language processing techniques and three data processing methods. First, we present results based on full context function pairings. Next, we introduce condensed functions and conduct a statistical analysis to determine if there is a significant difference between the models, techniques, or methods. Based on these results, we answer research questions regarding model prediction for testing within and across projects and vulnerability types. Our results show that condensed functions with fewer features may achieve greater prediction results when testing within rather than across. Overall, we conclude that text-based machine learning models are not effective in detecting vulnerabilities within or across projects and vulnerability types.

computer science, software engineering

Xiaoning Du,Bihuan Chen,Yuekang Li,Jianmin Guo,Yaqin Zhou,Yang Liu,Yu Jiang

DOI: https://doi.org/10.48550/arXiv.1901.11479

2020-01-19

Abstract:Identifying potentially vulnerable locations in a code base is critical as a pre-step for effective vulnerability assessment; i.e., it can greatly help security experts put their time and effort to where it is needed most. Metric-based and pattern-based methods have been presented for identifying vulnerable code. The former relies on machine learning and cannot work well due to the severe imbalance between non-vulnerable and vulnerable code or lack of features to characterize vulnerabilities. The latter needs the prior knowledge of known vulnerabilities and can only identify similar but not new types of vulnerabilities. In this paper, we propose and implement a generic, lightweight and extensible framework, LEOPARD, to identify potentially vulnerable functions through program metrics. LEOPARD requires no prior knowledge about known vulnerabilities. It has two steps by combining two sets of systematically derived metrics. First, it uses complexity metrics to group the functions in a target application into a set of bins. Then, it uses vulnerability metrics to rank the functions in each bin and identifies the top ones as potentially vulnerable. Our experimental results on 11 real-world projects have demonstrated that, LEOPARD can cover 74.0% of vulnerable functions by identifying 20% of functions as vulnerable and outperform machine learning-based and static analysis-based techniques. We further propose three applications of LEOPARD for manual code review and fuzzing, through which we discovered 22 new bugs in real applications like PHP, radare2 and FFmpeg, and eight of them are new vulnerabilities.

Software Engineering

Georgios Spanos,Lefteris Angelis

DOI: https://doi.org/10.1016/j.jss.2018.09.039

IF: 3.5

2018-12-01

Journal of Systems and Software

Abstract:Software vulnerabilities constitute a great risk for the IT community. The specification of the vulnerability characteristics is a crucial procedure, since the characteristics are used as input for a plethora of vulnerability scoring systems. Currently, the determination of the specific characteristics -that represent each vulnerability- is a process that is performed manually by the IT security experts. However, the vulnerability description can be very informative and useful to predict vulnerability characteristics. The primary goal of this research is the enhancement, the acceleration and the support of the manual procedure of the vulnerability characteristic assignment. To achieve this goal, a model, which combines texts analysis and multi-target classification techniques was developed. This model estimates the vulnerability characteristics and subsequently, calculates the vulnerability severity scores from the predicted characteristics. To perform the present research, a dataset that contains 99,091 records from a large -publicly available- vulnerability database was used. The results are encouraging, since they show accuracy in the prediction of the vulnerability characteristics and scores.

computer science, theory & methods, software engineering

Jacob A. Harer,Louis Y. Kim,Rebecca L. Russell,Onur Ozdemir,Leonard R. Kosta,Akshay Rangamani,Lei H. Hamilton,Gabriel I. Centeno,Jonathan R. Key,Paul M. Ellingwood,Erik Antelman,Alan Mackay,Marc W. McConley,Jeffrey M. Opper,Peter Chin,Tomo Lazovich

DOI: https://doi.org/10.48550/arXiv.1803.04497

2018-02-14

Software Engineering

Abstract:Thousands of security vulnerabilities are discovered in production software each year, either reported publicly to the Common Vulnerabilities and Exposures database or discovered internally in proprietary code. Vulnerabilities often manifest themselves in subtle ways that are not obvious to code reviewers or the developers themselves. With the wealth of open source code available for analysis, there is an opportunity to learn the patterns of bugs that can lead to security vulnerabilities directly from data. In this paper, we present a data-driven approach to vulnerability detection using machine learning, specifically applied to C and C++ programs. We first compile a large dataset of hundreds of thousands of open-source functions labeled with the outputs of a static analyzer. We then compare methods applied directly to source code with methods applied to artifacts extracted from the build process, finding that source-based models perform better. We also compare the application of deep neural network models with more traditional models such as random forests and find the best performance comes from combining features learned by deep models with tree-based models. Ultimately, our highest performing model achieves an area under the precision-recall curve of 0.49 and an area under the ROC curve of 0.87.

Yong Fang,Yongcheng Liu,Cheng Huang,Liang Liu

DOI: https://doi.org/10.1371/journal.pone.0228439

IF: 3.7

2020-02-06

PLoS ONE

Abstract:In recent years, the number of vulnerabilities discovered and publicly disclosed has shown a sharp upward trend. However, the value of exploitation of vulnerabilities varies for attackers, considering that only a small fraction of vulnerabilities are exploited. Therefore, the realization of quick exclusion of the non-exploitable vulnerabilities and optimal patch prioritization on limited resources has become imperative for organizations. Recent works using machine learning techniques predict exploited vulnerabilities by extracting features from open-source intelligence (OSINT). However, in the face of explosive growth of vulnerability information, there is room for improvement in the application of past methods to multiple threat intelligence. A more general method is needed to deal with various threat intelligence sources. Moreover, in previous methods, traditional text processing methods were used to deal with vulnerability related descriptions, which only grasped the static statistical characteristics but ignored the context and the meaning of the words of the text. To address these challenges, we propose an exploit prediction model, which is based on a combination of fastText and LightGBM algorithm and called fastEmbed. We replicate key portions of the state-of-the-art work of exploit prediction and use them as benchmark models. Our model outperforms the baseline model whether in terms of the generalization ability or the prediction ability without temporal intermixing with an average overall improvement of 6.283% by learning the embedding of vulnerability-related text on extremely imbalanced data sets. Besides, in terms of predicting the exploits in the wild, our model also outperforms the baseline model with an F1 measure of 0.586 on the minority class (33.577% improvement over the work using features from darkweb/deepweb). The results demonstrate that the model can improve the ability to describe the exploitability of vulnerabilities and predict exploits in the wild effectively.

Gul Jabeen,Xi Yang,Ping Luo

DOI: https://doi.org/10.1504/ijics.2021.116302

2021-01-01

Abstract:Software vulnerabilities primarily constitute security risks. Commonalities between faults and vulnerabilities prompt developers to utilise traditional fault prediction models and metrics for vulnerability prediction. Although traditional models can predict the number of vulnerabilities and their occurrence time, they fail to accurately determine the seriousness of vulnerabilities, impacts, and severity level. To address these deficits, we propose a method for predicting software vulnerabilities based on a Markov chain model, which offers a more comprehensive descriptive model with the potential to accurately predict vulnerability type, i.e., the seriousness of the vulnerabilities. The experiments are performed using real vulnerability data of three types of popular software: Windows 10, Adobe Flash Player and Firefox. Our model is shown to produce accurate predictive results.

Philipp Kuehn,David N. Relke,Christian Reuter

DOI: https://doi.org/10.48550/arXiv.2210.02143

2022-10-05

Cryptography and Security

Abstract:The number of newly published vulnerabilities is constantly increasing. Until now, the information available when a new vulnerability is published is manually assessed by experts using a Common Vulnerability Scoring System (CVSS) vector and score. This assessment is time consuming and requires expertise. Various works already try to predict CVSS vectors or scores using machine learning based on the textual descriptions of the vulnerability to enable faster assessment. However, for this purpose, previous works only use the texts available in databases such as National Vulnerability Database. With this work, the publicly available web pages referenced in the National Vulnerability Database are analyzed and made available as sources of texts through web scraping. A Deep Learning based method for predicting the CVSS vector is implemented and evaluated. The present work provides a classification of the National Vulnerability Database's reference texts based on the suitability and crawlability of their texts. While we identified the overall influence of the additional texts is negligible, we outperformed the state-of-the-art with our Deep Learning prediction models.

Shaji, Lijin,Pramila, R. Suji

DOI: https://doi.org/10.1007/s10878-024-01185-z

2024-08-23

Journal of Combinatorial Optimization

Abstract:Software vulnerabilities are flaws that may be exploited to cause loss or harm. Various automated machine-learning techniques have been developed in preceding studies to detect software vulnerabilities. This work tries to develop a technique for securing the software on the basis of their vulnerabilities that are already known, by developing a hybrid deep learning model to detect those vulnerabilities. Moreover, certain countermeasures are suggested based on the types of vulnerability to prevent the attack further. For different software projects taken as the dataset, feature fusion is done by utilizing canonical correlation analysis together with Deep Residual Network (DRN). A hybrid deep learning technique trained using AdamW-Rat Swarm Optimizer (AdamW-RSO) is designed to detect software vulnerability. Hybrid deep learning makes use of the Deep Belief Network (DBN) and Generative Adversarial Network (GAN). For every vulnerability, its location of occurrence within the software development procedures and techniques of alleviation via implementation level or design level activities are described. Thus, it helps in understanding the appearance of vulnerabilities, suggesting the use of various countermeasures during the initial phases of software design, and therefore, assures software security. Evaluating the performance of vulnerability detection by the proposed technique regarding recall, precision, and f-measure, it is found to be more effective than the existing methods.

mathematics, applied,computer science, interdisciplinary applications

Xue Yuan,Guanjun Lin,Huan Mei,Yonghang Tai,Jun Zhang

DOI: https://doi.org/10.1016/j.jisa.2024.103718

IF: 4.96

2024-02-15

Journal of Information Security and Applications

Abstract:Vulnerability identification is crucial to protecting software systems from attacks. Although numerous learning-based solutions have been suggested to assist in vulnerability identification, these approaches often face challenges due to the scarcity of real-world vulnerability data. To extract as much vulnerability information as possible from limited data, we consider obtaining the characteristics of vulnerabilities from different forms of code by leveraging two distinct deep neural models. First, source code functions are considered to be textual sequences, and Gated Recurrent Unit (GRU) is applied to extract serialized features. Then, Syntax Trees (ASTs) of these functions, which reflects the code structure, are fed to a Gated Graph Recurrent Network (GGRN) to obtain structural features indicative of software vulnerability. To better handle data imbalance issues in real-world scenarios, we employ Random Forest (RF) to construct a predictive model to learn the concatenation of serialized and structural features extracted by GRU and GGRN. To evaluate the proposed approach, we collected 12 open-source projects containing function-level samples and compared the proposed method with a series of baselines, including popular learning-based methods and static analysis tools. The empirical results demonstrate that our proposed approach outperforms the baselines and can identify more vulnerabilities.

computer science, information systems