Research On Vulnerability Detection Method Based On Deep Learning

In the field of software security,software vulnerability detection is a challenging issue.Ideally,a well-rounded vulnerability detection method should not only detect whether or not a program under test contains vulnerabilities,but also provide additional detailed information(e.g.,pinpoint the type of vulnerability)to help developers fix the vulnerabilities.Driven by increasingly sophisticated deep learning technologies,deeplearning-based vulnerability detection methods have been able to effectively detect vulnerabilities in the software under test(i.e.,addressing the binary classification of vulnerabilities),but cannot accurately report the types of vulnerabilities involved(i.e.,incapable addressing the multiclass classification of vulnerabilities).In order to effectively address the multiclass classification of vulnerabilities,a novel vulnerability detection method is given,and accordingly develop a deep-learning-based multiclass vulnerability detection system ?VulDeePecker(multiclass Vulnerability Deep Pecker).?VulDeePecker improves the concept of "code gadget" proposed by the predecessors by introducing control-dependence.In addition,inspired by the image region of interests,the system gives and utilizes the concept of " code attention ".Code attention is essentially a set of vulnerability type-related code statements that captures information related to vulnerability usages to help ?VulDeePecker identify the vulnerability types.With the help of the concept,?VulDeePecker guarantees good identification ability even for small vulnerability classes.To evaluate the effectiveness of ?VulDeePecker comprehensively,a dataset containing 181641 vulnerabilities is created.The dataset(i)contains multiple vulnerability types(40 types)and(ii)complex code relationships(i.e.,control-dependence relation and data-dependence relation).?VulDeePecker conducts systematic experiments on the dataset and the real software product Xen of different versions.The experimental reports show that ?VulDeePecker has a overall false negative rate(FNR)and F1 of 5.73% and 94.22% when identifying up to 40 types of vulnerabilities.Compared with other existing deep-learning-based vulnerability detection system,?VulDeePecker reduces the overall FNR by 10.75% and increases the overall F1 by 8.72%.In addition,?VulDeePecker find two new vulnerabilities in Xen.The new vulnerabilities have not been released,but been fixed "silently" by vendors in subsequent versions of the software.