Automatic feature learning for vulnerability prediction

TL;DR

This paper introduces a deep learning approach using LSTM models to automatically learn semantic and syntactic features in source code for vulnerability prediction, outperforming existing methods.

Contribution

It presents a novel deep learning-based feature learning method that captures code semantics and syntax for improved vulnerability prediction accuracy.

Findings

Achieves 3%-58% improvement in within-project prediction

Achieves 85% improvement in cross-project prediction

Outperforms state-of-the-art vulnerability prediction models

Abstract

Code flaws or vulnerabilities are prevalent in software systems and can potentially cause a variety of problems including deadlock, information loss, or system failure. A variety of approaches have been developed to try and detect the most likely locations of such code vulnerabilities in large code bases. Most of them rely on manually designing features (e.g. complexity metrics or frequencies of code tokens) that represent the characteristics of the code. However, all suffer from challenges in sufficiently capturing both semantic and syntactic representation of source code, an important capability for building accurate prediction models. In this paper, we describe a new approach, built upon the powerful deep learning Long Short Term Memory model, to automatically learn both semantic and syntactic features in code. Our evaluation on 18 Android applications demonstrates that the prediction power obtained from our learned features is equal or even superior to what is achieved by state of the art vulnerability prediction models: 3%--58% improvement for within-project prediction and 85% for cross-project prediction.