The detection of software vulnerabilities (or vulnerabilities for short) is
an important problem that has yet to be tackled, as manifested by the many
vulnerabilities reported on a daily basis. This calls for machine learning
methods for vulnerability detection. Deep learning is attractive for this
purpose because it alleviates the requirement to manually define features.
Despite the tremendous success of deep learning in other application domains,
its applicability to vulnerability detection is not systematically understood.
In order to fill this void, we propose the first systematic framework for using
deep learning to detect vulnerabilities in C/C++ programs with source code. The
framework, dubbed Syntax-based, Semantics-based, and Vector Representations
(SySeVR), focuses on obtaining program representations that can accommodate
syntax and semantic information pertinent to vulnerabilities. Our experiments
with 4 software products demonstrate the usefulness of the framework: we detect
15 vulnerabilities that are not reported in the National Vulnerability
Database. Among these 15 vulnerabilities, 7 are unknown and have been reported
to the vendors, and the other 8 have been “silently” patched by the vendors
when releasing newer versions of the pertinent software products.

By admin