Chao Ni,Xinrong Guo,Yan Zhu,Xiaodan Xu,Xiaohu Yang

DOI: https://doi.org/10.1109/ase56229.2023.00084

2024-01-01

Abstract:Software vulnerabilities damage the functionality of software systems. Recently, many deep learning-based approaches have been proposed to detect vulnerabilities at the function level by using one or a few different modalities (e.g., text representation, graph-based representation) of the function and have achieved promising performance. However, some of these existing studies have not completely leveraged these diverse modalities, particularly the underutilized image modality, and the others using images to represent functions for vulnerability detection have not made adequate use of the significant graph structure underlying the images. In this paper, we propose MVulD, a multi-modal-based function-level vulnerability detection approach, which utilizes multi-modal features of the function (i.e., text representation, graph representation, and image representation) to detect vulnerabilities. Specifically, MVulD utilizes a pre-trained model (i.e., UniXcoder) to learn the semantic information of the textual source code, employs the graph neural network to distill graph-based representation, and makes use of computer vision techniques to obtain the image representation while retaining the graph structure of the function. We conducted a large-scale experiment on 25,816 functions. The experimental results show that MVulD improves four state-of-the-art baselines by 30.8%-81.3%, 12.8%-27.4%, 48.8%-115%, and 22.9%-141% in terms of F1-score, Accuracy, Precision, and PR-AUC respectively.

Yun Zhang,David Lo,Xin Xia,Bowen Xu,Jianling Sun,Shanping Li

DOI: https://doi.org/10.1109/ICECCS.2015.15

2015-01-01

Abstract:In recent years, to help developers reduce time and effort required to build highly secure software, a number of prediction models which are built on different kinds of features have been proposed to identify vulnerable source code files. In this paper, we propose a novel approach VULPREDICTOR to predict vulnerable files, it analyzes software metrics and text mining together to build a composite prediction model. VULPREDICTOR first builds 6 underlying classifiers on a training set of vulnerable and non-vulnerable files represented by their software metrics and text features, and then constructs a meta classifier to process the outputs of the 6 underlying classifiers. We evaluate our solution on datasets from three web applications including Drupal, PHPMyAdmin and Moodle which contain a total of 3,466 files and 223 vulnerabilities. The experiment results show that VULPREDICTOR can achieve F1 and EffectivenessRatio@20% scores of up to 0.683 and 75%, respectively. On average across the 3 projects, VULPREDICTOR improves the F1 and EffectivenessRatio@20% scores of the best performing state-of-the-art approaches proposed by Walden et al. by 46.53% and 14.93%, respectively.

Xue Yuan,Guanjun Lin,Huan Mei,Yonghang Tai,Jun Zhang

DOI: https://doi.org/10.1016/j.jisa.2024.103718

IF: 4.96

2024-02-15

Journal of Information Security and Applications

Abstract:Vulnerability identification is crucial to protecting software systems from attacks. Although numerous learning-based solutions have been suggested to assist in vulnerability identification, these approaches often face challenges due to the scarcity of real-world vulnerability data. To extract as much vulnerability information as possible from limited data, we consider obtaining the characteristics of vulnerabilities from different forms of code by leveraging two distinct deep neural models. First, source code functions are considered to be textual sequences, and Gated Recurrent Unit (GRU) is applied to extract serialized features. Then, Syntax Trees (ASTs) of these functions, which reflects the code structure, are fed to a Gated Graph Recurrent Network (GGRN) to obtain structural features indicative of software vulnerability. To better handle data imbalance issues in real-world scenarios, we employ Random Forest (RF) to construct a predictive model to learn the concatenation of serialized and structural features extracted by GRU and GGRN. To evaluate the proposed approach, we collected 12 open-source projects containing function-level samples and compared the proposed method with a series of baselines, including popular learning-based methods and static analysis tools. The empirical results demonstrate that our proposed approach outperforms the baselines and can identify more vulnerabilities.

computer science, information systems

Wenlin Xu,Tong Li,Jinsong Wang,Haibo Duan,Yahui Tang

DOI: https://doi.org/10.1109/trustcom60117.2023.00129

2024-01-01

Abstract:Software vulnerabilities detection is crucial in cyber security which protects the software systems from malicious attacks. The majority of earlier techniques relied on security professionals to provide software features before training a classification or regression model on the features to find vulnerabilities. However, defining software features and collecting high-quality labeled vulnerabilities for training are both time consuming. To handle these issues, in this paper, we propose an unsupervised and effective method for extracting software features and detecting software vulnerabilities automatically. Firstly, we obtain software features and build a new pre-trained BERT model through constructing C/C++ vocabulary and pre-training on software source code. We then fine-tune the pre-trained BERT model with a deep autoencoder and create low-dimensional embedding from the software features. We finally apply a clustering-based outlier detection method on the embedding to detect vulnerabilities. We evaluate our method on five datasets with programs written in C/C++, experimental results show that our method outperforms state-of-the-art software vulnerability detection methods.

Aidong Xu,Tao Dai,Huajun Chen,Zhe Ming,Weining Li

DOI: https://doi.org/10.1109/icsai.2018.8599360

2018-01-01

Abstract:With the development of Internet technology, software vulnerabilities have become a major threat to current computer security. In this work, we propose the vulnerability detection for source code using Contextual LSTM. Compared with CNN and LSTM, we evaluated the CLSTM on 23185 programs, which are collected from SARD. We extracted the features through the program slicing. Based on the features, we used the natural language processing to analysis programs with source code. The experimental results demonstrate that CLSTM has the best performance for vulnerability detection, reaching the accuracy of 96.711% and the F1 score of 0.96984.

Jacob A. Harer,Louis Y. Kim,Rebecca L. Russell,Onur Ozdemir,Leonard R. Kosta,Akshay Rangamani,Lei H. Hamilton,Gabriel I. Centeno,Jonathan R. Key,Paul M. Ellingwood,Erik Antelman,Alan Mackay,Marc W. McConley,Jeffrey M. Opper,Peter Chin,Tomo Lazovich

DOI: https://doi.org/10.48550/arXiv.1803.04497

2018-02-14

Software Engineering

Abstract:Thousands of security vulnerabilities are discovered in production software each year, either reported publicly to the Common Vulnerabilities and Exposures database or discovered internally in proprietary code. Vulnerabilities often manifest themselves in subtle ways that are not obvious to code reviewers or the developers themselves. With the wealth of open source code available for analysis, there is an opportunity to learn the patterns of bugs that can lead to security vulnerabilities directly from data. In this paper, we present a data-driven approach to vulnerability detection using machine learning, specifically applied to C and C++ programs. We first compile a large dataset of hundreds of thousands of open-source functions labeled with the outputs of a static analyzer. We then compare methods applied directly to source code with methods applied to artifacts extracted from the build process, finding that source-based models perform better. We also compare the application of deep neural network models with more traditional models such as random forests and find the best performance comes from combining features learned by deep models with tree-based models. Ultimately, our highest performing model achieves an area under the precision-recall curve of 0.49 and an area under the ROC curve of 0.87.

Lei Cui,Zhiyu Hao,Yang Jiao,Haiqiang Fei,Xiaochun Yun

DOI: https://doi.org/10.1109/tifs.2020.3047756

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Code similarity is one promising approach to detect vulnerabilities hidden in software programs. However, due to the complexity and diversity of source code, current methods suffer low accuracy, high false negative and poor performance, especially in analyzing a large program. In this paper, we propose to tackle these problems by presenting VulDetector, a static-analysis tool to detect C/C++ vulnerabilities based on graph comparison at the granularity of function. At the key of VulDetector is a weighted feature graph (WFG) model which characterizes function with a small yet semantically rich graph. It first pinpoints vulnerability-sensitive keywords to slice the control flow graph of a function, thereby reducing the graph size without compromising security-related semantics. Then, each sliced subgraph is characterized using WFG, which provides both syntactic and semantic features in varying degrees of security. As for graph comparison, we take full usage of vulnerability graph and patch graph to improve accuracy. In addition, we propose two optimization methods based on analysis of vulnerabilities. We have implemented VulDetector to automatically detect vulnerabilities in software programs with known vulnerabilities. The experimental results prove the effectiveness and efficiency of VulDetector.

Yan Wang,Peng Jia,Xi Peng,Cheng Huang,Jiayong Liu

DOI: https://doi.org/10.1016/j.cose.2022.103023

IF: 5.105

2022-01-01

Computers & Security

Abstract:Static detection of security vulnerabilities in binary programs is an important research field in software supply chain security. However, existing vulnerability detection methods based on code similarity can only detect known vulnerabilities. Vulnerability features generated by vulnerability pattern-based detection methods are low robust due to the influence of manually defined patterns, compiler diversity, and irrelevant function instructions. In this paper, we propose BinVulDet, which is a binary level vulnerability detection tool for accurate known and unknown vulnerability detection. BinVulDet uses decompilation techniques to obtain pseudo code containing high-level semantic information against the impact of compilation diversity. Then the program slicing technique is used to extract the statements with data dependencies and control dependencies related to the vulnerability. A BiLSTM-attention neural network is used to extract rich contextual semantic information from slice codes to generate more robust vulnerability patterns to detect vulnerabilities. The experimental results show that BinVulDet outperforms the state-of-the-art binary vulnerability detection methods. The FPR and FNR of BinVulDet are 1.04% and 0.89% on average, respectively, which are 3.93% and 22.86% lower than the baseline model on average. BinVulDet can effectively against the influence of compilation diversity and successfully be used for real-world vulnerability detection by being evaluated in three CVE vulnerability projects.

Wenlin Xu,Tong Li,Jinsong Wang,Tao Fu,Yahui Tang

DOI: https://doi.org/10.1007/978-981-99-9119-8_11

2024-01-01

Abstract:Detecting software vulnerabilities is a crucial part of software security. At present, the most commonly used methods are to train supervised classification or regression models from the source code to detect vulnerabilities, which require lots of high-quality labeled vulnerabilities. However, high-quality labeled vulnerabilities are not easy to be obtained in practical applications. To alleviate this problem, we present an effective and unsupervised method to detect software vulnerabilities. We first propose a new source code representation that maintains both the source code’s natural language information and high-level programming logic information, and then we effectively embed the software function into a compact and low-dimensional representation based on hierarchical graph attention network. Finally, we obtain vulnerabilities by applying an outlier detection algorithm on the low-dimensional representation. We carry out extensive experiments on six datasets and the effectiveness of our proposed method is demonstrated by the experimental results.

Aram Hovsepyan,Riccardo Scandariato,Wouter Joosen,James Walden

DOI: https://doi.org/10.1145/2372225.2372230

2012-01-01

Abstract:Early identification of software vulnerabilities is essential in software engineering and can help reduce not only costs, but also prevent loss of reputation and damaging litigations for a software firm. Techniques and tools for software vulnerability prediction are thus invaluable. Most of the existing techniques rely on using component characteristic(s) (like code complexity, code churn) for the vulnerability prediction. In this position paper, we present a novel approach for vulnerability prediction that leverages on the analysis of raw source code as text, instead of using "cooked" features. Our initial results seem to be very promising as the prediction model achieves an average accuracy of 0.87, precision of 0.85 and recall of 0.88 on 18 versions of a large mobile application.

Zhen Huang,Amy Aumpansub

2024-05-28

Abstract:Deep learning has been shown to be a promising tool in detecting software vulnerabilities. In this work, we train neural networks with program slices extracted from the source code of C/C++ programs to detect software vulnerabilities. The program slices capture the syntax and semantic characteristics of vulnerability-related program constructs, including API function call, array usage, pointer usage, and arithmetic expression. To achieve a strong prediction model for both vulnerable code and non-vulnerable code, we compare different types of training data, different optimizers, and different types of neural networks. Our result shows that combining different types of characteristics of source code and using a balanced number of vulnerable program slices and non-vulnerable program slices produce a balanced accuracy in predicting both vulnerable code and non-vulnerable code. Among different neural networks, BGRU with the ADAM optimizer performs the best in detecting software vulnerabilities with an accuracy of 92.49%.

Cryptography and Security,Machine Learning

Yulun Wu,Ming Wen,Zeliang Yu,Xiaochen Guo,Hai Jin

DOI: https://doi.org/10.1145/3691620.3695013

2024-01-01

Abstract:Open-source software (OSS) has profoundly transformed the software development paradigm by facilitating effortless code reuse. However, in recent years, there has been an alarming increase in disclosed vulnerabilities within OSS, posing significant security risks to downstream users. Therefore, analyzing existing vulnerabilities and precisely assessing their threats to downstream applications become pivotal. Plenty of efforts have been made recently towards this problem, such as vulnerability reachability analysis and vulnerability reproduction. The key to these tasks is identifying the vulnerable function (i.e., the function where the root cause of a vulnerability resides). However, public vulnerability datasets (e.g., NVD) rarely include this information as pinpointing the exact vulnerable functions remains to be a longstanding challenge. Existing methods mainly detect vulnerable functions based on vulnerability patches or Proof-of-Concept (PoC). However, such methods face significant limitations due to data availability and the requirement for extensive manual efforts, thus hindering scalability. To address this issue, we propose a novel approach VFFinder that localizes vulnerable functions based on Common Vulnerabilities and Exposures (CVE) descriptions and the corresponding source code utilizing Large Language Models (LLMs). Specifically, VFFinder adopts a customized in-context learning (ICL) approach based on CVE description patterns to enable LLM to extract key entities. It then performs priority matching with the source code to localize vulnerable functions. We assess the performance of VFFinder on 75 large open-source projects. The results demonstrate that VFFinder surpasses existing baselines significantly. Notably, the Top-1 and MRR metrics have been improved substantially, averaging 4.25X and 2.37X respectively. We also integrate VFFinder with Software Composition Analysis (SCA) tools, and the results show that our tool can reduce the false positive rates of existing SCA tools significantly.

Napier, Kollin,Wang, Shaowei

DOI: https://doi.org/10.1007/s10664-022-10276-6

IF: 3.762

2023-02-04

Empirical Software Engineering

Abstract:With an increase in complexity and severity, it is becoming harder to identify and mitigate vulnerabilities. Although traditional tools remain useful, machine learning models are being adopted to expand efforts. To help explore methods of vulnerability detection, we present an empirical study on the effectiveness of text-based machine learning models by utilizing 344 open-source projects, 2,182 vulnerabilities and 38 vulnerability types. With the availability of vulnerabilities being presented in forms such as code snippets, we construct a methodology based on extracted source code functions and create equal pairings. We conduct experiments using seven machine learning models, five natural language processing techniques and three data processing methods. First, we present results based on full context function pairings. Next, we introduce condensed functions and conduct a statistical analysis to determine if there is a significant difference between the models, techniques, or methods. Based on these results, we answer research questions regarding model prediction for testing within and across projects and vulnerability types. Our results show that condensed functions with fewer features may achieve greater prediction results when testing within rather than across. Overall, we conclude that text-based machine learning models are not effective in detecting vulnerabilities within or across projects and vulnerability types.

computer science, software engineering

Hongyu Yang,Haiyun Yang,Liang Zhang,Xiang Cheng

DOI: https://doi.org/10.1109/trustcom56396.2022.00070

2022-01-01

Abstract:Aiming at the fact that the existing source code vulnerability detection methods did not explicitly maintain the semantic information related to the vulnerability in the source code, which made it difficult for the vulnerability detection model to extract the vulnerability sentence features and had a high detection false positive rate, a source code vulnerability detection method based on the vulnerability dependency graph is proposed. Firstly, the candidate vulnerability sentences of the function were matched, and the vulnerability dependency representation graph corresponding to the function was generated by analyzing the multi-layer control dependencies and data dependencies of the candidate vulnerability sentences. Secondly, abstracted the function name and variable name of the code sentences node and generated the initial representation vector of the code sentence nodes in the vulnerability dependency representation graph. Finally, the source code vulnerability detection model based on the heterogeneous graph transformer was used to learn the context information of the code sentence nodes in the vulnerability dependency representation graph. In this paper, the proposed method was verified on three datasets. The experimental results show that the proposed method have better performance in source code vulnerability detection, and the recall rate is increased by 1.50%~22.27%, and the F1 score is increased by 1.86%~16.69%, which is better than the existing methods.

LI Yan,QIANG Weizhong,LI Zhen,ZOU Deqing,JIN Hai

DOI: https://doi.org/10.11959/j.issn.2096-109x.2023085

2023-01-01

Abstract:In recent years,software vulnerabilities have been causing a multitude of security incidents,and the early discovery and patching of vulnerabilities can effectively reduce losses.Traditional rule-based vulnerability detection methods,relying upon rules defined by experts,suffer from a high false negative rate.Deep learning-based methods have the capability to automatically learn potential features of vulnerable programs.However,as software complexity increases,the precision of these methods decreases.On one hand,current methods mostly operate at the function level,thus unable to handle inter-procedural vulnerability samples.On the other hand,models such as BGRU and BLSTM exhibit performance degradation when confronted with long input sequences,and are not adept at capturing long-term dependencies in program statements.To address the aforementioned issues,the existing program slicing method has been optimized,enabling a comprehensive contextual analysis of vulnerabilities triggered across functions through the combination of intra-procedural and inter-procedural slicing.This facilitated the capture of the complete causal relationship of vulnerability triggers.Furthermore,a vulnerability detection task was conducted using a Transformer neural network architecture equipped with a multi-head attention mechanism.This architecture collectively focused on information from different representation subspaces,allowing for the extraction of deep features from nodes.Unlike recurrent neural networks,this approach resolved the issue of information decay and effectively learned the syntax and semantic information of the source program.Experimental results demonstrate that this method achieves an F1 score of 73.4%on a real software dataset.Compared to the comparative methods,it shows an improvement of 13.6%to 40.8%.Furthermore,it successfully detects several vulnerabilities in open-source software,confirming its effectiveness and applicability.

Xin Li,Lu Wang,Yang Xin,Yixian Yang,Qifeng Tang,Yuling Chen

DOI: https://doi.org/10.3390/app11073201

2021-01-01

Applied Sciences

Abstract:Vulnerabilities threaten the security of information systems. It is crucial to detect and patch vulnerabilities before attacks happen. However, existing vulnerability detection methods suffer from long-term dependency, out of vocabulary, bias towards global features or local features, and coarse detection granularity. This paper proposes an automatic vulnerability detection framework in source code based on a hybrid neural network. First, the inputs are transformed into an intermediate representation with explicit structure information using lower level virtual machine intermediate representation (LLVM IR) and backward program slicing. After the transformation, the size of samples and the size of vocabulary are significantly reduced. A hybrid neural network model is then applied to extract high-level features of vulnerability, which learns features both from convolutional neural networks (CNNs) and recurrent neural networks (RNNs). The former is applied to learn local vulnerability features, such as buffer size. Furthermore, the latter is utilized to learn global features, such as data dependency. The extracted features are made up of concatenated outputs of CNN and RNN. Experiments are performed to validate our vulnerability detection method. The results show that our proposed method achieves excellent results with F1-scores of 98.6% and accuracy of 99.0% on the SARD dataset. It outperforms state-of-the-art methods.

Yuanming Huang,Mingshu He,Xiaojuan Wang,Jie Zhang

DOI: https://doi.org/10.1109/tifs.2024.3457162

2024-01-01

Abstract:Vulnerability detection in source code has been a focal point of research in recent years. Traditional rule-based methods fail to identify complex and unknown vulnerabilities, leading to poor performance. While deep learning (DL)-based methods have improved these shortcomings, there is still room for enhancement. For C/C++ source code, effective vulnerability detection requires considering both the information in code statements and the structural information of the code. Graph-based code representation methods can address this need, but existing approaches often use homogeneous graphs that do not differentiate between various types of code statements or dependencies. Few methods use heterogeneous graphs for C/C++ code representation. This study explores this potential and proposes a new C/C++ vulnerability detection method named HeVulD. HeVulD introduces two node definition approaches and a key-node-based program slicing method, generating heterogeneous graph representations for source code. These representations consist of both heterogeneous nodes and edges, providing a more precise representation of source code. HeVulD achieves an F1-score of 96.4% on the SARD dataset, outperforming nine baseline C/C++ vulnerability detection methods. HeVulD has been tested under adversarial attack scenarios to assess its robustness. Additionally, HeVulD has been tested on ten open-source software projects and the latest CVEs, demonstrating its detection and generalization capabilities in real-world scenarios and its ability to identify unknown vulnerabilities.

Jin Wang,Hui Xiao,Shuwen Zhong,Yinhao Xiao

DOI: https://doi.org/10.1016/j.future.2023.05.016

IF: 7.307

2023-05-28

Future Generation Computer Systems

Abstract:Software vulnerabilities can pose severe harms to a computing system. They can lead to system crash, privacy leakage, or even physical damage. Correctly identifying vulnerabilities among enormous software codes in a timely manner is so far the essential prerequisite to patch them. Unfortantely, the current vulnerability identification methods, either the classic ones or the deep-learning-based ones, have several critical drawbacks, making them unable to meet the present-day demands put forward by the software industry. To overcome the drawbacks, in this paper, we propose DeepVulSeeker, a novel fully automated vulnerability identification framework, which leverages both code graph structures and the semantic features with the help of the recently advanced Graph Representation Self-Attention and pre-training mechanisms. Our experiments show that DeepVulSeeker not only reaches an accuracy as high as 0.99 on traditional CWE datasets, but also outperforms all other exisiting methods on two highly-complicated datasets. We also testified DeepVulSeeker based on three case studies, and found that DeepVulSeeker is able to understand the implications of the vulnerbilities. We have fully implemented DeepVulSeeker and open-sourced it for future follow-up research.

computer science, theory & methods

Xuejun Zhang,Bo Zhou,Zhuo Chen,Meifeng Guo,Xiaogang Du,Xiaohong Jia,Wanrong Bai

DOI: https://doi.org/10.21203/rs.3.rs-4893837/v1

2024-01-01

Abstract:Thriving and widespread use of the open-source software community makes software vulnerabilities spread a lot, which brings serious challenges to the system security. Recently, a number of vulnerability detection methods based on deep learning have been proposed to help engineers analyze and patch vulnerabilities efficiently. However, these existing approaches still suffer from limitations in extracting rich features from vulnerability code. Aiming at the above problems, we propose VulD-SG, a dual-channel software code vulnerability detection method based on deep sequence and graph model. VulD-SG enhances the semantic, syntactic and structural features extraction ability of the source code by introducing the deep sequence-based and graph-based vulnerability feature extraction module. To address the problem of the coarse detection granularity in the traditional methods, VulD-SG slices code statements into subtokens with a new decomposition algorithm to capture the detailed vulnerability information. Meanwhile, Transformer-style encoder is utilized in graph-based vulnerability feature extraction module to aggregate program dependency graph (PDG) nodes to learn the long-range dependence of cross-function code effectively. Finally, we build a fusion model to merge the training parameters and achieve fine-grained prediction results. The experiments result show that Acc, F1, and Recall metrics were improved by 2.6\%~27\%, 2\%~29.2\%, and 1\%~30.25\% respectively on five different vulnerability datasets compared with seven vulnerability detection models based on deep learning.

Wenjing Cai,Junlin Chen,Jiaping Yu,Lipeng Gao

DOI: https://doi.org/10.1016/j.infsof.2023.107328

IF: 3.9

2023-12-01

Information and Software Technology

Abstract:The increasing size and complexity of software programs have made them an integral part of modern society’s infrastructure, making software vulnerabilities a major threat to computer security. To address this issue, the use of deep learning-based software vulnerability detection methods has become increasingly popular. Although the effectiveness of the deep learning-based methods has been demonstrated, these methods have faced challenges in scalability and detection performance. To tackle this challenge, we propose a new vulnerability detection method based on deep learning with complex network analysis and subgraph partition that enhances detection accuracy while maintaining scalability. The method uses complex network analysis theory to convert the CPG into an image-like matrix, and then utilizes TextCNN for vulnerability detection. As a result, our method shows a 6% improvement in accuracy and a 10% reduction in false positive rates compared to state-of-the-art methods. In addition, our approach is able to detect some of the vulnerabilities recently released by CVE.

computer science, information systems, software engineering