SySeVR: A Framework for Using Deep Learning to Detect Software Vulnerabilities
| Autor: | Zhaoxuan Chen, Hai Jin, Zhen Li, Deqing Zou, Shouhuai Xu, Yawei Zhu |
|---|---|
| Jazyk: | angličtina |
| Rok vydání: | 2018 |
| Předmět: |
FOS: Computer and information sciences
Computer Science - Machine Learning Source code Computer Science - Cryptography and Security Computer science Computer Science - Artificial Intelligence media_common.quotation_subject 0211 other engineering and technologies Machine Learning (stat.ML) 02 engineering and technology Machine Learning (cs.LG) Software Statistics - Machine Learning Electrical and Electronic Engineering Semantic information media_common 021110 strategic defence & security studies Syntax (programming languages) business.industry Deep learning National Vulnerability Database Vulnerability detection Data science Artificial Intelligence (cs.AI) Artificial intelligence business Cryptography and Security (cs.CR) |
| Popis: | The detection of software vulnerabilities (or vulnerabilities for short) is an important problem that has yet to be tackled, as manifested by the many vulnerabilities reported on a daily basis. This calls for machine learning methods for vulnerability detection. Deep learning is attractive for this purpose because it alleviates the requirement to manually define features. Despite the tremendous success of deep learning in other application domains, its applicability to vulnerability detection is not systematically understood. In order to fill this void, we propose the first systematic framework for using deep learning to detect vulnerabilities in C/C++ programs with source code. The framework, dubbed Syntax-based, Semantics-based, and Vector Representations (SySeVR), focuses on obtaining program representations that can accommodate syntax and semantic information pertinent to vulnerabilities. Our experiments with 4 software products demonstrate the usefulness of the framework: we detect 15 vulnerabilities that are not reported in the National Vulnerability Database. Among these 15 vulnerabilities, 7 are unknown and have been reported to the vendors, and the other 8 have been "silently" patched by the vendors when releasing newer versions of the pertinent software products. To be published in IEEE TDSC |
| Databáze: | OpenAIRE |
| Externí odkaz: |
|