HYDRA: A Hybrid Heuristic-Guided Deep Representation Architecture for Predicting Latent Zero-Day Vulnerabilities in Patched Functions

TL;DR

HYDRA is a hybrid deep learning architecture that combines heuristics and embeddings to detect latent zero-day vulnerabilities in patched functions, improving security testing by uncovering hidden risks.

Contribution

HYDRA introduces a novel combination of rule-based heuristics, GraphCodeBERT embeddings, and VAE for unsupervised detection of post-patch latent vulnerabilities.

Findings

HYDRA predicts 13.7%, 20.6%, and 24% of functions as containing latent risks in Chrome, Android, and ImageMagick.

HYDRA outperforms baseline models relying solely on regex features or embeddings.

HYDRA uncovers risky code variants aligned with heuristic patterns, revealing hidden vulnerabilities.

Abstract

Software security testing, particularly when enhanced with deep learning models, has become a powerful approach for improving software quality, enabling faster detection of known flaws in source code. However, many approaches miss post-fix latent vulnerabilities that remain even after patches typically due to incomplete fixes or overlooked issues may later lead to zero-day exploits. In this paper, we propose $HYDRA$, a $Hy$brid heuristic-guided $D$eep $R$epresentation $A$rchitecture for predicting latent zero-day vulnerabilities in patched functions that combines rule-based heuristics with deep representation learning to detect latent risky code patterns that may persist after patches. It integrates static vulnerability rules, GraphCodeBERT embeddings, and a Variational Autoencoder (VAE) to uncover anomalies often missed by symbolic or neural models alone. We evaluate HYDRA in an unsupervised setting on patched functions from three diverse real-world software projects: Chrome, Android, and ImageMagick. Our results show HYDRA predicts 13.7%, 20.6%, and 24% of functions from Chrome, Android, and ImageMagick respectively as containing latent risks, including both heuristic matches and cases without heuristic matches ($None$) that may lead to zero-day vulnerabilities. It outperforms baseline models that rely solely on regex-derived features or their combination with embeddings, uncovering truly risky code variants that largely align with known heuristic patterns. These results demonstrate HYDRA's capability to surface hidden, previously undetected risks, advancing software security validation and supporting proactive zero-day vulnerabilities discovery.