Automated Vulnerability Detection in Source Code Using Deep Representation Learning

TL;DR

This paper presents a scalable machine learning system that uses deep feature representation learning to automatically detect vulnerabilities in C and C++ source code, leveraging large open-source datasets and static analysis labels.

Contribution

It introduces a large-scale labeled dataset of open-source functions and a novel deep learning approach for vulnerability detection directly from source code.

Findings

Effective detection of vulnerabilities in real software and benchmark datasets.

Deep feature representation learning outperforms traditional static analysis methods.

Scalable and fast vulnerability detection tool developed.

Abstract

Increasing numbers of software vulnerabilities are discovered every year whether they are reported publicly or discovered internally in proprietary code. These vulnerabilities can pose serious risk of exploit and result in system compromise, information leaks, or denial of service. We leveraged the wealth of C and C++ open-source code available to develop a large-scale function-level vulnerability detection system using machine learning. To supplement existing labeled vulnerability datasets, we compiled a vast dataset of millions of open-source functions and labeled it with carefully-selected findings from three different static analyzers that indicate potential exploits. The labeled dataset is available at: https://osf.io/d45bw/. Using these datasets, we developed a fast and scalable vulnerability detection tool based on deep feature representation learning that directly interprets lexed source code. We evaluated our tool on code from both real software packages and the NIST SATE IV benchmark dataset. Our results demonstrate that deep feature representation learning on source code is a promising approach for automated software vulnerability detection.