Deakin University
Browse

File(s) under permanent embargo

Software Vulnerability Discovery via Learning Multi-Domain Knowledge Bases

Version 2 2024-06-06, 00:32
Version 1 2020-01-17, 15:16
journal contribution
posted on 2024-06-06, 00:32 authored by Guanjun Lin, Jun Zhang, Wei LuoWei Luo, Lei PanLei Pan, Olivier De Vel, Paul Montague, Yang Xiang
Machine learning (ML) has great potential in automated code vulnerability discovery. However, automated discovery application driven by off-the-shelf machine learning tools often performs poorly due to the shortage of high-quality training data. The scarceness of vulnerability data is almost always a problem for any developing software project during its early stages, which is referred to as the cold-start problem. This paper proposes a framework that utilizes transferable knowledge from pre-existing data sources. In order to improve the detection performance, multiple vulnerability-relevant data sources were selected to form a broader base for learning transferable knowledge. The selected vulnerability-relevant data sources are cross-domain, including historical vulnerability data from different software projects and data from the Software Assurance Reference Database (SARD) consisting of synthetic vulnerability examples and proof-of-concept test cases. To extract the information applicable in vulnerability detection from the cross-domain data sets, we designed a deep-learning-based framework with Long-short Term Memory (LSTM) cells. Our framework combines the heterogeneous data sources to learn unified representations of the patterns of the vulnerable source codes. Empirical studies showed that the unified representations generated by the proposed deep learning networks are feasible and effective, and are transferable for real-world vulnerability detection. Our experiments demonstrated that by leveraging two heterogeneous data sources, the performance of our vulnerability detection outperformed the static vulnerability discovery tool Flawfinder. The findings of this paper may stimulate further research in ML-based vulnerability detection using heterogeneous data sources.

History

Journal

IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING

Volume

18

Pagination

2469-2485

Location

Piscataway, N.J.

ISSN

1545-5971

eISSN

1941-0018

Language

English

Publication classification

C1 Refereed article in a scholarly journal

Issue

5

Publisher

IEEE COMPUTER SOC