SySeVR: A Framework for Using Deep Learning to Detect Software Vulnerabilities

SySeVR: A Framework for Using Deep Learning to Detect Software Vulnerabilities

The detection of software vulnerabilities (or vulnerabilities for short) is an important problem that has yet to be tackled, as manifested by the many vulnerabilities reported on a daily basis. This calls for machine learning methods for vulnerability detection. Deep learning is attractive for this...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on dependable and secure computing 2022-07, Vol.19 (4), p.1-1
Hauptverfasser: Li, Zhen, Zou, Deqing, Xu, Shouhuai, Jin, Hai, Zhu, Yawei, Chen, Zhaoxuan
Format: Artikel
Sprache:eng
Schlagworte:
Big Data
Deep learning
Image processing
Machine learning
program analysis
program representation
Proposals
security
Semantics
Software
Source code
Syntactics
Vulnerability detection
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 1
container_issue 4
container_start_page 1
container_title IEEE transactions on dependable and secure computing
container_volume 19
creator Li, Zhen
Zou, Deqing
Xu, Shouhuai
Jin, Hai
Zhu, Yawei
Chen, Zhaoxuan
description The detection of software vulnerabilities (or vulnerabilities for short) is an important problem that has yet to be tackled, as manifested by the many vulnerabilities reported on a daily basis. This calls for machine learning methods for vulnerability detection. Deep learning is attractive for this purpose because it alleviates the requirement to manually define features. Despite the tremendous success of deep learning in other application domains, its applicability to vulnerability detection is not systematically understood. In order to fill this void, we propose the first systematic framework for using deep learning to detect vulnerabilities in C/C++ programs with source code. The framework, dubbed Syntax-based, Semantics-based, and Vector Representations (SySeVR), focuses on obtaining program representations that can accommodate syntax and semantic information pertinent to vulnerabilities. Our experiments with 4 software products demonstrate the usefulness of the framework: we detect 15 vulnerabilities that are not reported in the National Vulnerability Database. Among these 15 vulnerabilities, 7 are unknown and have been reported to the vendors, and the other 8 have been "silently" patched by the vendors when releasing newer versions of the pertinent software products.
doi_str_mv 10.1109/TDSC.2021.3051525
format Article
fullrecord <record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_ieee_primary_9321538</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>9321538</ieee_id><sourcerecordid>2686300992</sourcerecordid><originalsourceid>FETCH-LOGICAL-c336t-f3114a3d3eb39b5b6526ef0db019b212a7e1ef6eee0797afaef8732038335ad03</originalsourceid><addsrcrecordid>eNo9kEFPwkAQhTdGExH9AcbLJp6LM7vdtuuNgKgJ0cQC180WZk0RWtwtIfx720A8zczLe_OSj7F7hAEi6KfZOB8NBAgcSFCohLpgPdQxRgCYXba7ilWkdIrX7CaENYCIMx332Ed-zGnx9cyHfOLtlg61_-Gu9nweyuqbj4l2fErWV93V1K3Q0LLhee2ag_XEF_tNRd4W5aZsSgq37MrZTaC78-yz-eRlNnqLpp-v76PhNFpKmTSRk4ixlStJhdSFKhIlEnKwKgB1IVDYlJBcQkSQ6tQ6Sy5LpQCZSansCmSfPZ7-7nz9u6fQmHW991VbaUSSJRJAa9G68ORa-joET87sfLm1_mgQTIfNdNhMh82csbWZh1OmbNv__VoKVG37H0LraAw</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2686300992</pqid></control><display><type>article</type><title>SySeVR: A Framework for Using Deep Learning to Detect Software Vulnerabilities</title><source>IEEE Electronic Library (IEL)</source><creator>Li, Zhen ; Zou, Deqing ; Xu, Shouhuai ; Jin, Hai ; Zhu, Yawei ; Chen, Zhaoxuan</creator><creatorcontrib>Li, Zhen ; Zou, Deqing ; Xu, Shouhuai ; Jin, Hai ; Zhu, Yawei ; Chen, Zhaoxuan</creatorcontrib><description>The detection of software vulnerabilities (or vulnerabilities for short) is an important problem that has yet to be tackled, as manifested by the many vulnerabilities reported on a daily basis. This calls for machine learning methods for vulnerability detection. Deep learning is attractive for this purpose because it alleviates the requirement to manually define features. Despite the tremendous success of deep learning in other application domains, its applicability to vulnerability detection is not systematically understood. In order to fill this void, we propose the first systematic framework for using deep learning to detect vulnerabilities in C/C++ programs with source code. The framework, dubbed Syntax-based, Semantics-based, and Vector Representations (SySeVR), focuses on obtaining program representations that can accommodate syntax and semantic information pertinent to vulnerabilities. Our experiments with 4 software products demonstrate the usefulness of the framework: we detect 15 vulnerabilities that are not reported in the National Vulnerability Database. Among these 15 vulnerabilities, 7 are unknown and have been reported to the vendors, and the other 8 have been "silently" patched by the vendors when releasing newer versions of the pertinent software products.</description><identifier>ISSN: 1545-5971</identifier><identifier>EISSN: 1941-0018</identifier><identifier>DOI: 10.1109/TDSC.2021.3051525</identifier><identifier>CODEN: ITDSCM</identifier><language>eng</language><publisher>Washington: IEEE</publisher><subject>Big Data ; Deep learning ; Image processing ; Machine learning ; program analysis ; program representation ; Proposals ; security ; Semantics ; Software ; Source code ; Syntactics ; Vulnerability detection</subject><ispartof>IEEE transactions on dependable and secure computing, 2022-07, Vol.19 (4), p.1-1</ispartof><rights>Copyright IEEE Computer Society 2022</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c336t-f3114a3d3eb39b5b6526ef0db019b212a7e1ef6eee0797afaef8732038335ad03</citedby><cites>FETCH-LOGICAL-c336t-f3114a3d3eb39b5b6526ef0db019b212a7e1ef6eee0797afaef8732038335ad03</cites><orcidid>0000-0002-0001-2998 ; 0000-0002-3934-7605 ; 0000-0001-8034-0942 ; 0000-0001-8534-5048</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/9321538$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,776,780,792,27901,27902,54733</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/9321538$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Li, Zhen</creatorcontrib><creatorcontrib>Zou, Deqing</creatorcontrib><creatorcontrib>Xu, Shouhuai</creatorcontrib><creatorcontrib>Jin, Hai</creatorcontrib><creatorcontrib>Zhu, Yawei</creatorcontrib><creatorcontrib>Chen, Zhaoxuan</creatorcontrib><title>SySeVR: A Framework for Using Deep Learning to Detect Software Vulnerabilities</title><title>IEEE transactions on dependable and secure computing</title><addtitle>TDSC</addtitle><description>The detection of software vulnerabilities (or vulnerabilities for short) is an important problem that has yet to be tackled, as manifested by the many vulnerabilities reported on a daily basis. This calls for machine learning methods for vulnerability detection. Deep learning is attractive for this purpose because it alleviates the requirement to manually define features. Despite the tremendous success of deep learning in other application domains, its applicability to vulnerability detection is not systematically understood. In order to fill this void, we propose the first systematic framework for using deep learning to detect vulnerabilities in C/C++ programs with source code. The framework, dubbed Syntax-based, Semantics-based, and Vector Representations (SySeVR), focuses on obtaining program representations that can accommodate syntax and semantic information pertinent to vulnerabilities. Our experiments with 4 software products demonstrate the usefulness of the framework: we detect 15 vulnerabilities that are not reported in the National Vulnerability Database. Among these 15 vulnerabilities, 7 are unknown and have been reported to the vendors, and the other 8 have been "silently" patched by the vendors when releasing newer versions of the pertinent software products.</description><subject>Big Data</subject><subject>Deep learning</subject><subject>Image processing</subject><subject>Machine learning</subject><subject>program analysis</subject><subject>program representation</subject><subject>Proposals</subject><subject>security</subject><subject>Semantics</subject><subject>Software</subject><subject>Source code</subject><subject>Syntactics</subject><subject>Vulnerability detection</subject><issn>1545-5971</issn><issn>1941-0018</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNo9kEFPwkAQhTdGExH9AcbLJp6LM7vdtuuNgKgJ0cQC180WZk0RWtwtIfx720A8zczLe_OSj7F7hAEi6KfZOB8NBAgcSFCohLpgPdQxRgCYXba7ilWkdIrX7CaENYCIMx332Ed-zGnx9cyHfOLtlg61_-Gu9nweyuqbj4l2fErWV93V1K3Q0LLhee2ag_XEF_tNRd4W5aZsSgq37MrZTaC78-yz-eRlNnqLpp-v76PhNFpKmTSRk4ixlStJhdSFKhIlEnKwKgB1IVDYlJBcQkSQ6tQ6Sy5LpQCZSansCmSfPZ7-7nz9u6fQmHW991VbaUSSJRJAa9G68ORa-joET87sfLm1_mgQTIfNdNhMh82csbWZh1OmbNv__VoKVG37H0LraAw</recordid><startdate>20220701</startdate><enddate>20220701</enddate><creator>Li, Zhen</creator><creator>Zou, Deqing</creator><creator>Xu, Shouhuai</creator><creator>Jin, Hai</creator><creator>Zhu, Yawei</creator><creator>Chen, Zhaoxuan</creator><general>IEEE</general><general>IEEE Computer Society</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>JQ2</scope><orcidid>https://orcid.org/0000-0002-0001-2998</orcidid><orcidid>https://orcid.org/0000-0002-3934-7605</orcidid><orcidid>https://orcid.org/0000-0001-8034-0942</orcidid><orcidid>https://orcid.org/0000-0001-8534-5048</orcidid></search><sort><creationdate>20220701</creationdate><title>SySeVR: A Framework for Using Deep Learning to Detect Software Vulnerabilities</title><author>Li, Zhen ; Zou, Deqing ; Xu, Shouhuai ; Jin, Hai ; Zhu, Yawei ; Chen, Zhaoxuan</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c336t-f3114a3d3eb39b5b6526ef0db019b212a7e1ef6eee0797afaef8732038335ad03</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><topic>Big Data</topic><topic>Deep learning</topic><topic>Image processing</topic><topic>Machine learning</topic><topic>program analysis</topic><topic>program representation</topic><topic>Proposals</topic><topic>security</topic><topic>Semantics</topic><topic>Software</topic><topic>Source code</topic><topic>Syntactics</topic><topic>Vulnerability detection</topic><toplevel>online_resources</toplevel><creatorcontrib>Li, Zhen</creatorcontrib><creatorcontrib>Zou, Deqing</creatorcontrib><creatorcontrib>Xu, Shouhuai</creatorcontrib><creatorcontrib>Jin, Hai</creatorcontrib><creatorcontrib>Zhu, Yawei</creatorcontrib><creatorcontrib>Chen, Zhaoxuan</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>ProQuest Computer Science Collection</collection><jtitle>IEEE transactions on dependable and secure computing</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Li, Zhen</au><au>Zou, Deqing</au><au>Xu, Shouhuai</au><au>Jin, Hai</au><au>Zhu, Yawei</au><au>Chen, Zhaoxuan</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>SySeVR: A Framework for Using Deep Learning to Detect Software Vulnerabilities</atitle><jtitle>IEEE transactions on dependable and secure computing</jtitle><stitle>TDSC</stitle><date>2022-07-01</date><risdate>2022</risdate><volume>19</volume><issue>4</issue><spage>1</spage><epage>1</epage><pages>1-1</pages><issn>1545-5971</issn><eissn>1941-0018</eissn><coden>ITDSCM</coden><abstract>The detection of software vulnerabilities (or vulnerabilities for short) is an important problem that has yet to be tackled, as manifested by the many vulnerabilities reported on a daily basis. This calls for machine learning methods for vulnerability detection. Deep learning is attractive for this purpose because it alleviates the requirement to manually define features. Despite the tremendous success of deep learning in other application domains, its applicability to vulnerability detection is not systematically understood. In order to fill this void, we propose the first systematic framework for using deep learning to detect vulnerabilities in C/C++ programs with source code. The framework, dubbed Syntax-based, Semantics-based, and Vector Representations (SySeVR), focuses on obtaining program representations that can accommodate syntax and semantic information pertinent to vulnerabilities. Our experiments with 4 software products demonstrate the usefulness of the framework: we detect 15 vulnerabilities that are not reported in the National Vulnerability Database. Among these 15 vulnerabilities, 7 are unknown and have been reported to the vendors, and the other 8 have been "silently" patched by the vendors when releasing newer versions of the pertinent software products.</abstract><cop>Washington</cop><pub>IEEE</pub><doi>10.1109/TDSC.2021.3051525</doi><tpages>1</tpages><orcidid>https://orcid.org/0000-0002-0001-2998</orcidid><orcidid>https://orcid.org/0000-0002-3934-7605</orcidid><orcidid>https://orcid.org/0000-0001-8034-0942</orcidid><orcidid>https://orcid.org/0000-0001-8534-5048</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 1545-5971
ispartof IEEE transactions on dependable and secure computing, 2022-07, Vol.19 (4), p.1-1
issn 1545-5971
1941-0018
language eng
recordid cdi_ieee_primary_9321538
source IEEE Electronic Library (IEL)
subjects Big Data
Deep learning
Image processing
Machine learning
program analysis
program representation
Proposals
security
Semantics
Software
Source code
Syntactics
Vulnerability detection
title SySeVR: A Framework for Using Deep Learning to Detect Software Vulnerabilities
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-02-20T20%3A43%3A06IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=SySeVR:%20A%20Framework%20for%20Using%20Deep%20Learning%20to%20Detect%20Software%20Vulnerabilities&rft.jtitle=IEEE%20transactions%20on%20dependable%20and%20secure%20computing&rft.au=Li,%20Zhen&rft.date=2022-07-01&rft.volume=19&rft.issue=4&rft.spage=1&rft.epage=1&rft.pages=1-1&rft.issn=1545-5971&rft.eissn=1941-0018&rft.coden=ITDSCM&rft_id=info:doi/10.1109/TDSC.2021.3051525&rft_dat=%3Cproquest_RIE%3E2686300992%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2686300992&rft_id=info:pmid/&rft_ieee_id=9321538&rfr_iscdi=true