File(s) under permanent embargo

Cross-project transfer representation learning for vulnerable function discovery

journal contribution
posted on 2018-07-01, 00:00 authored by G Lin, Jun Zhang, Wei LuoWei Luo, Lei PanLei Pan, Yang Xiang, O De Vel, P Montague
Machine learning is now widely used to detect security vulnerabilities in the software, even before the software is released. But its potential is often severely compromised at the early stage of a software project when we face a shortage of high-quality training data and have to rely on overly generic hand-crafted features. This paper addresses this cold-start problem of machine learning, by learning rich features that generalize across similar projects. To reach an optimal balance between feature-richness and generalizability, we devise a data-driven method including the following innovative ideas. First, the code semantics are revealed through serialized abstract syntax trees (ASTs), with tokens encoded by Continuous Bag-of-Words neural embeddings. Next, the serialized ASTs are fed to a sequential deep learning classifier (Bi-LSTM) to obtain a representation indicative of software vulnerability. Finally, the neural representation obtained from existing software projects is then transferred to the new project to enable early vulnerability detection even with a small set of training labels. To validate this vulnerability detection approach, we manually labeled 457 vulnerable functions and collected 30 000+ nonvulnerable functions from six open-source projects. The empirical results confirmed that the trained model is capable of generating representations that are indicative of program vulnerability and is adaptable across multiple projects. Compared with the traditional code metrics, our transfer-learned representations are more effective for predicting vulnerable functions, both within a project and across multiple projects.



IEEE transactions on industrial informatics






3289 - 3297


Institute of Electrical and Electronics Engineers


Piscataway, N.J.





Publication classification

C1 Refereed article in a scholarly journal

Copyright notice

2018, IEEE