Kedi Shen,Yun Zhang,Lingfeng Bao,Zhiyuan Wan,Zhuorong Li,Minghui Wu

DOI: https://doi.org/10.1109/ICSE-COMPANION58688.2023.00049

2023-01-01

Abstract:With the rapid development of open source projects, the continuous emergence of vulnerabilities in the project brings great challenges to the security of the project. Security patches are one of the best ways to deal with vulnerabilities, but are not well applied currently. Although there are sites like CVE/NVD that provide information about vulnerabilities, many of the vulnerabilities disclosed by CVE/NVD are not accompanied by security patches. This makes it difficult for developers to apply patches. In the present study, a sorting method based on extracting multidimensional features from auxiliary information in CVE/NVD was proposed. And we made a further step, we proposed VCMATCH, a model for mining semantic information in vulnerability description and code commit messages, which has good recall rate and applicability across projects. On this basis, we established Patchmatch, a tool for helping developers to quickly locate patches. Given a vulnerability, Patchmatch can forecast the implicit patches in the code repository's commits. Patchmatch also has a visual webpage for information statistics and a display web page to help developers manage all kinds of information in the code repository. A demo video of Patchmatch is at https://www.youtube.com/watch?v=nOBSMFtZV8A. Patchmatch is in https://github.com/Sklud1456/patchmatch.

J. Arthur Gowan,Richard G. Mathieu,Jie Chen

2004-01-01

Abstract:There is an ongoing debate about the magnitude and characteristics of software vulnerabilities found in open-source versus proprietary software. A software vulnerability is defined as a flaw in a piece of software that has been discovered and exploited. Once publicized, typically by an electronic announcement, the vulnerability is posted to one of several competing online security information services. The software vendor will then respond with a scripted patch or remediation. Data related to software vulnerabilities is available publicly (i.e., CERT, SecurityTracker, Mitre, and SANS) and is often stored in an XML format. However, XML presents several challenges for text mining software. The purpose of this paper is to describe a method for mining XML data that sufficiently addresses these concerns in the context of software vulnerability research. Preliminary results are presented.

Junaid Akram,Ping Luo

DOI: https://doi.org/10.1002/spe.2905

2020-01-01

Software Practice and Experience

Abstract:SummaryVulnerability detection and exploit is becoming a very important part of security, especially in malware code delivery, hacking a system, efforts to create patches, improving the source code, or updating a software. Vulnerabilities in applications, including browsers, media players, online services, document readers, and so forth. are often exploited and cause a serious damage. In this article, we propose a vulnerability detection technique to detect vulnerabilities in software, as well as shared libraries at source code level. We crawl the vulnerable source code by tracing and locating the patch files from different web sources according to their CVE‐numbers and built a fingerprint index of 2931 vulnerable files. Then we developed a vulnerability detection approach based on code clone detection technique and detect hundreds of vulnerabilities in thousands of GitHub open source projects, which are not noticed before as vulnerable. We detected vulnerabilities in some very famous recently available software, including latest version of Linux, HTC‐kernel, FindX‐8.1‐kernel, and in 7‐TB of C/C++ source code (152,823 open source projects). In this study, we discuss some of the very high severity level (CVSS) vulnerabilities that are detected by our approach. Furthermore, we performed an empirical evaluation and verification on these vulnerabilities, including intraproject clone vulnerabilities, copied‐kernel clone vulnerabilities, and library‐used clone vulnerabilities. Our technique is very fast, efficient, reliable, practical, scalable, and can be implemented at industrial level. The comparison with the state‐of‐the‐art tools shows the effectiveness of our approach.

Cho Do Xuan,Dao Hoang Mai,Ma Cong Thanh,Bui Van Cong

DOI: https://doi.org/10.1007/s11227-023-05282-4

IF: 3.3

2023-05-05

The Journal of Supercomputing

Abstract:Improving and enhancing the effectiveness of software vulnerability detection methods is urgently needed today. In this study, we propose a new source code vulnerability detection method based on intelligent and advanced computational algorithms. It's a combination of four main processing techniques including (i) Source Embedding, (ii) Feature Learning, (iii) Resampling Data, and (iv) Classification. The Source Embedding method will perform the task of analyzing and standardizing the source code based on the Joern tool and the data mining algorithm. The Feature Learning model has the function of aggregating and extracting source code attribute based on node using machine learning and deep learning methods. The Resampling Data technique will perform equalization of the experimental dataset. Finally, the Classification model has the function of detecting source code vulnerabilities. The novelty and uniqueness of the new intelligent cognitive computing method is the combination and synchronous use of many different data extracting techniques to compute, represent, and extract the properties of the source code. With this new calculation method, many significant unusual properties and features of the vulnerability have been synthesized and extracted. To prove the superiority of the proposed method, we experiment to detect source code vulnerabilities based on the Verum dataset, details of this part are presented in the experimental section. The experimental results show that the method proposed in the paper has brought good results on all measures. These results have shown to be the best research results for the source code vulnerability detection task using the Verum dataset according to our survey to date. With such results, the proposal in this study is not only meaningful in terms of science but also in practical terms when the method of using intelligent cognitive computing techniques to analyze and evaluate source code has helped to improve the efficiency of the source code analysis and vulnerability detection process.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Aram Hovsepyan,Riccardo Scandariato,Wouter Joosen,James Walden

DOI: https://doi.org/10.1145/2372225.2372230

2012-01-01

Abstract:Early identification of software vulnerabilities is essential in software engineering and can help reduce not only costs, but also prevent loss of reputation and damaging litigations for a software firm. Techniques and tools for software vulnerability prediction are thus invaluable. Most of the existing techniques rely on using component characteristic(s) (like code complexity, code churn) for the vulnerability prediction. In this position paper, we present a novel approach for vulnerability prediction that leverages on the analysis of raw source code as text, instead of using "cooked" features. Our initial results seem to be very promising as the prediction model achieves an average accuracy of 0.87, precision of 0.85 and recall of 0.88 on 18 versions of a large mobile application.

Zihua Song,Junfeng Wang,Shengli Liu,Zhiyang Fang,Kaiyuan Yang

DOI: https://doi.org/10.1155/2022/1919907

IF: 1.968

2022-04-11

Security and Communication Networks

Abstract:Vulnerability detection on source code can prevent the risk of cyber-attacks as early as possible. However, lacking fine-grained analysis of the code has rendered the existing solutions still suffering from low performance; besides, the explosive growth of open-source projects has dramatically increased the complexity and diversity of the source code. This paper presents HGVul, a code vulnerability detection method based on heterogeneous intermediate representation of source code. The key of the proposed method is the fine-grained handling on heterogeneous source-level intermediate representation (SIR) without expert knowledge. It first extracts graph SIR of code with multiple syntactic-semantic information. Then, HGVul splits the SIR into different subgraphs according to various semantic relations, which are used to obtain semantic information conveyed by different types of edges. Next, a graph neural network with attention operations is deployed on each subgraph to learn representation, which captures the subtle effects from node neighbors on their representation. Finally, the learned code feature representations are utilized to perform vulnerability detection. Experiments are conducted on multiple datasets. The F1 of HGVul reaches 96.1% on the sample-balanced Big-Vul-VP dataset and 88.3% on the unbalanced Big-Vul dataset. Further experiments on actual open-source project datasets prove the better performance of HGVul.

computer science, information systems,telecommunications

Jacob A. Harer,Louis Y. Kim,Rebecca L. Russell,Onur Ozdemir,Leonard R. Kosta,Akshay Rangamani,Lei H. Hamilton,Gabriel I. Centeno,Jonathan R. Key,Paul M. Ellingwood,Erik Antelman,Alan Mackay,Marc W. McConley,Jeffrey M. Opper,Peter Chin,Tomo Lazovich

DOI: https://doi.org/10.48550/arXiv.1803.04497

2018-02-14

Software Engineering

Abstract:Thousands of security vulnerabilities are discovered in production software each year, either reported publicly to the Common Vulnerabilities and Exposures database or discovered internally in proprietary code. Vulnerabilities often manifest themselves in subtle ways that are not obvious to code reviewers or the developers themselves. With the wealth of open source code available for analysis, there is an opportunity to learn the patterns of bugs that can lead to security vulnerabilities directly from data. In this paper, we present a data-driven approach to vulnerability detection using machine learning, specifically applied to C and C++ programs. We first compile a large dataset of hundreds of thousands of open-source functions labeled with the outputs of a static analyzer. We then compare methods applied directly to source code with methods applied to artifacts extracted from the build process, finding that source-based models perform better. We also compare the application of deep neural network models with more traditional models such as random forests and find the best performance comes from combining features learned by deep models with tree-based models. Ultimately, our highest performing model achieves an area under the precision-recall curve of 0.49 and an area under the ROC curve of 0.87.

Wei-Jun SHEN,En-Yi TANG,Zhen-Yu CHEN,Xin CHEN,Bin LI,Juan ZHAI

DOI: https://doi.org/10.13328/j.cnki.jos.005503

2018-01-01

Abstract:Vulnerability detection is an important way of improving the security of software.However,the development of the Internet makes it possible for hackers to attack software systems with new techniques.This paper focuses on a new kind of vulnerability that relates to numerical stability.It poses new threat to software security as hackers are able to bypass security protection by the new kind of vulnerability,and numerical analysis is difficult to detect such a vulnerability.In the paper,the vulnerability related to numerical stability is defined from the perspective of software behavior variation caused by numerical errors,and an automatic detection approach is proposed.The approach combines the static analysis and symbolic execution,and detects the vulnerability by three steps:symbolic extraction,static attack analysis,and dynamic attack verification with high precision values.This new approach is evaluated on a few famous open source projects.The results show that the proposed approach effectively detects the vulnerabilities related to numerical stability hidden in the real-world projects.

Shui-Tao GAN,Xiao-Jun QIN,Zuo-Ning CHEN,Lin-Zhang WANG

DOI: https://doi.org/10.13328/j.cnki.jos.004786

2015-01-01

Abstract:This article proposes a clone detection method based on a program characteristic metrics. Though analyzing the syntax and semantic characteristics of vulnerabilities, this detection method abstracts certain key nodes which describe different forms of vulnerability type from syntax parser tree, and expands four basic types of code clone to auxiliary classes. The characteristic metrics of the code then is finalized by obtaining the number of key nodes which are calculated via scanning corresponding code segment in the syntax parser tree. The clone detection based on a characteristic metrics creates basic knowledge base by extracting partial instances of open vulnerability database, and precisely locates the vulnerability codes by performing cluster calculation on the same codes responding to multiple types of code clone. Comparing with the detection method based on single characteristic vector, the proposed method produces more precise description about vulnerability. This detection method also offers a remedy to the drawbacks of formal detection method on its vulnerability type covering ability. Nine vulnerabilities are detected in an android-kernel system test. Testing on software of different code sizes shows that the performance of this method is linear with the size of the code.

Jin Wang,Hui Xiao,Shuwen Zhong,Yinhao Xiao

DOI: https://doi.org/10.1016/j.future.2023.05.016

IF: 7.307

2023-05-28

Future Generation Computer Systems

Abstract:Software vulnerabilities can pose severe harms to a computing system. They can lead to system crash, privacy leakage, or even physical damage. Correctly identifying vulnerabilities among enormous software codes in a timely manner is so far the essential prerequisite to patch them. Unfortantely, the current vulnerability identification methods, either the classic ones or the deep-learning-based ones, have several critical drawbacks, making them unable to meet the present-day demands put forward by the software industry. To overcome the drawbacks, in this paper, we propose DeepVulSeeker, a novel fully automated vulnerability identification framework, which leverages both code graph structures and the semantic features with the help of the recently advanced Graph Representation Self-Attention and pre-training mechanisms. Our experiments show that DeepVulSeeker not only reaches an accuracy as high as 0.99 on traditional CWE datasets, but also outperforms all other exisiting methods on two highly-complicated datasets. We also testified DeepVulSeeker based on three case studies, and found that DeepVulSeeker is able to understand the implications of the vulnerbilities. We have fully implemented DeepVulSeeker and open-sourced it for future follow-up research.

computer science, theory & methods

Xiang Li,Jinfu Chen,Zhechao Lin,Lin Zhang,Zibin Wang,Minmin Zhou,Wanggen Xie

DOI: https://doi.org/10.1109/cbd.2017.58

2017-08-01

Abstract:Software vulnerability remains a serious challenge to the software engineering domain over the past decade as a result of the recent technological advancement in information systems. The rapid development in software applications and failure on the part of system developers to properly analyze program codes before been released to the market increases the chance for data breaches. It is a known fact that most system failures are as a result of bugs and errors detected in software applications. Although code errors significantly affect software quality, there is no effective method that can be used in eliminating software errors to improve its reliability. Data Mining and its related algorithms are an active area which can successfully be applied in analyzing software vulnerability. However the concept of applying data mining techniques has not been empirically proven as an effective method for obtaining the essential characteristics of software vulnerability. To investigate this effect, we propose a vulnerability mining algorithm to analyze and obtain the essential characteristics of Software vulnerability based data mining techniques. We first extracted and preprocessed the software vulnerabilities using data mining techniques and common vulnerability database. We evaluate the proposed technique using the Common Vulnerability and Exposure (CVE) Database, Common Weakness Enumeration (CWE) Database, National Vulnerability Database (NVD) datasets. Empirical results show that the proposed vulnerability mining algorithm has a remarkable improvement in the vulnerability mining process. The most interesting finding is that, we observed that across all the three projects, recall was around 70% and precision was approximately 60%.

Chen Liang,Qiang Wei,Jiang Du,Yisen Wang,Zirui Jiang

DOI: https://doi.org/10.1016/j.cose.2024.104098

IF: 5.105

2025-01-01

Computers & Security

Abstract:Amidst the rapid development of the software industry and the burgeoning open-source culture, vulnerability detection within the software security domain has emerged as an ever-expanding area of focus. In recent years, the rapid advancement of artificial intelligence, particularly the notable progress in deep learning for pattern recognition and natural language processing, has catalyzed a surge in research endeavors exploring the integration of deep learning for the enhancement of vulnerability detection techniques.In this paper, we investigate contemporary deep learning-based source code analysis methods, with a concentrated emphasis on those pertaining to static code vulnerability detection. We categorize these methods based on various representations of source code employed during the preprocessing stage, including token-based and graph-based representations of source code, and further subdivided based on the types of deep learning algorithms or graph representations employed. We summarize the basic processes of model training and vulnerability detection under these different representation formats. Furthermore, we explore the limitations inherent in current approaches and provide insights into future trends and challenges for research in this field.

Zhidong Shen,Si Chen

DOI: https://doi.org/10.1155/2020/8858010

IF: 1.968

2020-09-29

Security and Communication Networks

Abstract:Open source software has been widely used in various industries due to its openness and flexibility, but it also brings potential software security problems. Together with the large-scale increase in the number of software and the increase in complexity, the traditional manual methods to deal with these security issues are inefficient and cannot meet the current cyberspace security requirements. Therefore, it is an important research topic for researchers in the field of software security to develop more intelligent technologies to apply to potential security issues in software. The development of deep learning technology has brought new opportunities for the study of potential security issues in software, and researchers have successively proposed many automation methods. In this paper, these automation technologies are evaluated and analysed in detail from three aspects: software vulnerability detection, software program repair, and software defect prediction. At the same time, we point out some problems of these research methods, give corresponding solutions, and finally look forward to the application prospect of deep learning technology in automated software vulnerability detection, automated program repair, and automated defect prediction.

computer science, information systems,telecommunications

Guiping Li,Yege Yang

DOI: https://doi.org/10.1109/access.2024.3479237

IF: 3.9

2024-10-25

IEEE Access

Abstract:Deep learning is one of the important methods to detect and fix vulnerabilities in software programs. How to represent code information and how to use artificial intelligence methods to learn and understand code semantics and other information are crucial points in this method. Vulnerability mining analysis based on source code is usually combined with compiler-related techniques to abstract program representations through lexical, syntactic, and semantic analyses, and further combined with data flow analysis, control flow analysis, static symbolic execution, and other techniques to verify the existence of vulnerabilities and identify the location of code defects. To compare the abilities of vulnerability detection methods, we first categorize vulnerability detection methods into two main types based on different intermediate representations: sequence-based and graph-based methods. And then, we further divide sequence-based methods into four categories and distinguish graph-based methods based on whether they employ slicing techniques. Following, through the analysis of specific examples, we compare the advantages and disadvantages of these two methods, and explore the differences and similarities in the neural networks they use. Lastly, we conduct a comparative analysis of the datasets used in the mentioned methods, highlight some challenges in this field, and present our thoughts on potential research directions.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xue Yuan,Guanjun Lin,Huan Mei,Yonghang Tai,Jun Zhang

DOI: https://doi.org/10.1016/j.jisa.2024.103718

IF: 4.96

2024-02-15

Journal of Information Security and Applications

Abstract:Vulnerability identification is crucial to protecting software systems from attacks. Although numerous learning-based solutions have been suggested to assist in vulnerability identification, these approaches often face challenges due to the scarcity of real-world vulnerability data. To extract as much vulnerability information as possible from limited data, we consider obtaining the characteristics of vulnerabilities from different forms of code by leveraging two distinct deep neural models. First, source code functions are considered to be textual sequences, and Gated Recurrent Unit (GRU) is applied to extract serialized features. Then, Syntax Trees (ASTs) of these functions, which reflects the code structure, are fed to a Gated Graph Recurrent Network (GGRN) to obtain structural features indicative of software vulnerability. To better handle data imbalance issues in real-world scenarios, we employ Random Forest (RF) to construct a predictive model to learn the concatenation of serialized and structural features extracted by GRU and GGRN. To evaluate the proposed approach, we collected 12 open-source projects containing function-level samples and compared the proposed method with a series of baselines, including popular learning-based methods and static analysis tools. The empirical results demonstrate that our proposed approach outperforms the baselines and can identify more vulnerabilities.

computer science, information systems

Shibin Zhao,Junhu Zhu,Jianshan Peng

DOI: https://doi.org/10.32604/cmc.2024.041949

2024-01-01

Abstract:In recent years, the rapid development of computer software has led to numerous security problems, particularly software vulnerabilities. These flaws can cause significant harm to users' privacy and property. Current security defect detection technology relies on manual or professional reasoning, leading to missed detection and high false detection rates. Artificial intelligence technology has led to the development of neural network models based on machine learning or deep learning to intelligently mine holes, reducing missed alarms and false alarms. So, this XSS (Transform), and Structured Query Language (SQL) injection. Also, the project uses open-source Javalang to translate the Java source code, conducts a deep search on the AST to obtain the empty syntax feature library, and converts the Java source code into a dependency graph. The feature vector is then used as the learning target for the neural network. Four types of Convolutional Neural Networks (CNN), Long Short-Term Memory (LSTM), Bi-directional Long Short-Term Memory (BiLSTM), and Attention Mechanism + Bidirectional LSTM, are used to investigate various code defects, including blank pointer reference exception, XSS, and SQL injection defects. Experimental results show that the attention mechanism in two-dimensional BLSTM is the most effective for object recognition, verifying the correctness of the method.

Shouguo Yang,Zhengzi Xu,Yang Xiao,Zhe Lang,Wei Tang,Yang Liu,Zhiqiang Shi,Hong Li,Limin Sun

DOI: https://doi.org/10.1145/3604608

IF: 3.685

2023-06-17

ACM Transactions on Software Engineering and Methodology

Abstract:Vulnerability is a major threat to software security. It has been proven that binary code similarity detection approaches are efficient to search for recurring vulnerabilities introduced by code sharing in binary software. However, these approaches suffer from high false-positive rates since they usually take the patched functions as vulnerable, and they usually do not work well when binaries are compiled with different compilation settings. To this end, we propose an approach, named Robin , to confirm recurring vulnerabilities by filtering out patched functions. Robin is powered by a lightweight symbolic execution to solve the set of function inputs that can lead to the vulnerability-related code. It then executes the target functions with the same inputs to capture the vulnerable or patched behaviors for patched function filtration. Experimental results show that Robin achieves high accuracy for patch detection across different compilers and compiler optimization levels respectively on 287 real-world vulnerabilities of 10 different software. Based on accurate patch detection, Robin significantly reduces the false-positive rate of state-of-the-art vulnerability detection tools (by 94.3% on average), making them more practical. Robin additionally detects 12 new potentially vulnerable functions.

computer science, software engineering

Wenhui Hu,Yu Wang,Xueyang Liu,Jinan Sun,Qing Gao,Yu Huang

DOI: https://doi.org/10.1109/smartcloud.2019.00030

2019-01-01

Abstract:With the extensive reuse of open source components, the scope of vulnerability impact will have cascade expansion. At the level of vulnerability data analysis, aiming at the vulnerability propagation problem, this thesis proposes a hierarchical propagation path search algorithm based on open source software vulnerability knowledge graph, at the same time, proposes a heuristic search strategy in both component layer and class layer to reduce the search space complexity, which is optimized from exponential down to polynomial. Furthermore, we propose the optimal blocking concept to represent the cost of repairing the entire propagation path, in order to measure the severity of the project's vulnerability. As for the purpose of providing effective suggestions on vulnerability repairing, we model the optimal blocking calculation as the network flow minimal separate problem, then calculate the network maximal flux to obtain the key dependencies with risks. Finally, multiple case studies with various vulnerability dependent risks show that the proposed algorithm can find software vulnerabilities affecting specific projects effectively.

Fei Zuo,Junghwan Rhee

DOI: https://doi.org/10.1007/s10207-023-00795-8

2024-01-07

International Journal of Information Security

Abstract:In recent years, there has been a remarkable surge in the adoption of open-source software (OSS). However, with the growing usage of OSS components in both free and proprietary software, vulnerabilities that are present within them can be spread to a vast array of underlying applications. Even worse, a myriad of vulnerabilities are fixed secretly via patch commits, which causes other software re-using the vulnerable code snippets to be left in the dark. Thus, source code patch commit mining toward vulnerability discovery is receiving immense attention, and a variety of approaches are proposed. Despite that, there is no comprehensive survey summarizing and discussing the current progress within this field. To fill this gap, we survey, evaluate, and systematize a list of literature and provide the community with our insights on both successes and remaining issues in this space. Special attention is paid on the work toward vulnerability discovery. In this paper, we also provide an introductory panorama with our replicable hands-on experience, which can help readers quickly understand and step into the pertinent field. Our empirical study reveals noteworthy challenges which need to be highlighted and addressed in this field. We also discuss potential directions for the future work. To the best of knowledge, we provide the first literature review to study source code patch commit mining in the vulnerability discovery context. The systematic framework, hands-on practices, and list of potential challenges provide new knowledge for mining source code patch commit toward a more robust software eco-system. The research gaps found in this literature review show the need for future research, such as the concern on data quality, high false alarms, and the significance of textual information.

computer science, information systems, theory & methods, software engineering