Comparing Unidirectional, Bidirectional, and Word2vec Models for Discovering Vulnerabilities in Compiled Lifted Code

TL;DR

This paper compares unidirectional GPT-2 embeddings with bidirectional models for vulnerability detection in compiled code, demonstrating superior performance of GPT-2 in identifying security flaws using neural networks.

Contribution

It introduces the use of unidirectional GPT-2 embeddings for vulnerability detection in compiled code and compares their effectiveness against bidirectional models like BERT and RoBERTa.

Findings

GPT-2 embeddings outperform bidirectional models in accuracy and F1-score

Unfrozen embedding layers yield the best neural network performance

SGD optimizer performs better than Adam in this context

Abstract

Ransomware and other forms of malware cause significant financial and operational damage to organizations by exploiting long-standing and often difficult-to-detect software vulnerabilities. To detect vulnerabilities such as buffer overflows in compiled code, this research investigates the application of unidirectional transformer-based embeddings, specifically GPT-2. Using a dataset of LLVM functions, we trained a GPT-2 model to generate embeddings, which were subsequently used to build LSTM neural networks to differentiate between vulnerable and non-vulnerable code. Our study reveals that embeddings from the GPT-2 model significantly outperform those from bidirectional models of BERT and RoBERTa, achieving an accuracy of 92.5% and an F1-score of 89.7%. LSTM neural networks were developed with both frozen and unfrozen embedding model layers. The model with the highest performance was achieved when the embedding layers were unfrozen. Further, the research finds that, in exploring the impact of different optimizers within this domain, the SGD optimizer demonstrates superior performance over Adam. Overall, these findings reveal important insights into the potential of unidirectional transformer-based approaches in enhancing cybersecurity defenses.