Multi-context Attention Fusion Neural Network for Software Vulnerability Identification

TL;DR

This paper introduces a novel deep learning model that combines recurrent, convolutional, and self-attention networks to accurately detect and localize security vulnerabilities in source code, improving explainability and efficiency.

Contribution

The paper proposes an Attention Fusion neural network that effectively detects and precisely locates vulnerabilities in source code using AST structures, with fewer parameters and high accuracy.

Findings

Achieves 98.40% F1-score on NIST SARD dataset.

Effectively combines multiple neural network architectures for vulnerability detection.

Provides explainability by pinpointing vulnerable code sections.

Abstract

Security issues in shipped code can lead to unforeseen device malfunction, system crashes or malicious exploitation by crackers, post-deployment. These vulnerabilities incur a cost of repair and foremost risk the credibility of the company. It is rewarding when these issues are detected and fixed well ahead of time, before release. Common Weakness Estimation (CWE) is a nomenclature describing general vulnerability patterns observed in C code. In this work, we propose a deep learning model that learns to detect some of the common categories of security vulnerabilities in source code efficiently. The AI architecture is an Attention Fusion model, that combines the effectiveness of recurrent, convolutional and self-attention networks towards decoding the vulnerability hotspots in code. Utilizing the code AST structure, our model builds an accurate understanding of code semantics with a lot less learnable parameters. Besides a novel way of efficiently detecting code vulnerability, an additional novelty in this model is to exactly point to the code sections, which were deemed vulnerable by the model. Thus helping a developer to quickly focus on the vulnerable code sections; and this becomes the "explainable" part of the vulnerability detection. The proposed AI achieves 98.40% F1-score on specific CWEs from the benchmarked NIST SARD dataset and compares well with state of the art.