BLSTM-based source code vulnerability detection visualization system

SQL injection vulnerabilities have been predominant on database-driven web applications since almost one decade. Exploiting such vulnerabilities enables attackers to gain unauthorized access to the back-end databases by altering the original SQL statements through manipulating user input. Testing web applications for identifying SQL injection vulnerabilities before deployment is essential to get rid of them. However, checking such vulnerabilities by hand is very tedious, difficult, and time-consuming. Web vulnerability static analysis tools are software tools for automatically identifying the root cause of SQL injection vulnerabilities in web applications source code. In this paper, we test and evaluate three free/open source static analysis tools using eight web applications with numerous known vulnerabilities, primarily for false negative rates. The evaluation results were compared and analysed, and they indicate a need to improve the tools.

Download Full-text

Vulnerability Detection for Source Code Using Contextual LSTM

2018 5th International Conference on Systems and Informatics (ICSAI) ◽

10.1109/icsai.2018.8599360 ◽

2018 ◽

Cited By ~ 1

Author(s):

Aidong Xu ◽

Tao Dai ◽

Huajun Chen ◽

Zhe Ming ◽

Weining Li

Keyword(s):

Source Code ◽

Vulnerability Detection

Download Full-text

A Context-Aware Neural Embedding for Function-Level Vulnerability Detection

Algorithms ◽

10.3390/a14110335 ◽

2021 ◽

Vol 14 (11) ◽

pp. 335

Author(s):

Hongwei Wei ◽

Guanjun Lin ◽

Lin Li ◽

Heming Jia

Keyword(s):

Data Flow ◽

Short Term Memory ◽

Source Code ◽

Control Flow ◽

Language Models ◽

Software Systems ◽

Support Vector ◽

Context Aware ◽

Vulnerability Detection ◽

Feature Representations

Exploitable vulnerabilities in software systems are major security concerns. To date, machine learning (ML) based solutions have been proposed to automate and accelerate the detection of vulnerabilities. Most ML techniques aim to isolate a unit of source code, be it a line or a function, as being vulnerable. We argue that a code segment is vulnerable if it exists in certain semantic contexts, such as the control flow and data flow; therefore, it is important for the detection to be context aware. In this paper, we evaluate the performance of mainstream word embedding techniques in the scenario of software vulnerability detection. Based on the evaluation, we propose a supervised framework leveraging pre-trained context-aware embeddings from language models (ELMo) to capture deep contextual representations, further summarized by a bidirectional long short-term memory (Bi-LSTM) layer for learning long-range code dependency. The framework takes directly a source code function as an input and produces corresponding function embeddings, which can be treated as feature sets for conventional ML classifiers. Experimental results showed that the proposed framework yielded the best performance in its downstream detection tasks. Using the feature representations generated by our framework, random forest and support vector machine outperformed four baseline systems on our data sets, demonstrating that the framework incorporated with ELMo can effectively capture the vulnerable data flow patterns and facilitate the vulnerability detection task.

Download Full-text

ISA: A Source Code Static Vulnerability Detection System Based on Data Fusion

Proceedings of the 2nd International ICST Conference on Scalable Information Systems ◽

10.4108/infoscale.2007.910 ◽

2007 ◽

Cited By ~ 4

Author(s):

Deguang Kong ◽

Quan Zheng ◽

Chao Chen ◽

Jianmei Shuai ◽

Ming Zhu

Keyword(s):

Data Fusion ◽

Detection System ◽

Source Code ◽

Vulnerability Detection

Download Full-text

Comparative analysis of approaches to source code vulnerability detection based on deep learning methods

Technology audit and production reserves ◽

10.15587/2706-5448.2021.233534 ◽

2021 ◽

Vol 3 (2(59)) ◽

pp. 19-23

Author(s):

Yevhenii Kubiuk ◽

Gennadiy Kyselov

Keyword(s):

Deep Learning ◽

Comparative Analysis ◽

Short Term Memory ◽

Source Code ◽

Vulnerability Detection ◽

Program Dependence Graph ◽

Code Analysis ◽

Advantages And Disadvantages ◽

Analysis Process ◽

Analysis System

The object of research of this work is the methods of deep learning for source code vulnerability detection. One of the most problematic areas is the use of only one approach in the code analysis process: the approach based on the AST (abstract syntax tree) or the approach based on the program dependence graph (PDG). In this paper, a comparative analysis of two approaches for source code vulnerability detection was conducted: approaches based on AST and approaches based on the PDG. In this paper, various topologies of neural networks were analyzed. They are used in approaches based on the AST and PDG. As the result of the comparison, the advantages and disadvantages of each approach were determined, and the results were summarized in the corresponding comparison tables. As a result of the analysis, it was determined that the use of BLSTM (Bidirectional Long Short Term Memory) and BGRU (Bidirectional Gated Linear Unit) gives the best result in terms of problems of source code vulnerability detection. As the analysis showed, the most effective approach for source code vulnerability detection systems is a method that uses an intermediate representation of the code, which allows getting a language-independent tool. Also, in this work, our own algorithm for the source code analysis system is proposed, which is able to perform the following operations: predict the source code vulnerability, classify the source code vulnerability, and generate a corresponding patch for the found vulnerability. A detailed analysis of the proposed system’s unresolved issues is provided, which is planned to investigate in future researches. The proposed system could help speed up the software development process as well as reduce the number of software code vulnerabilities. Software developers, as well as specialists in the field of cybersecurity, can be stakeholders of the proposed system.

Download Full-text