Multi-context Attention Fusion Neural Network for Software Vulnerability Identification

by   Anshul Tanwar, et al.

Security issues in shipped code can lead to unforeseen device malfunction, system crashes or malicious exploitation by crackers, post-deployment. These vulnerabilities incur a cost of repair and foremost risk the credibility of the company. It is rewarding when these issues are detected and fixed well ahead of time, before release. Common Weakness Estimation (CWE) is a nomenclature describing general vulnerability patterns observed in C code. In this work, we propose a deep learning model that learns to detect some of the common categories of security vulnerabilities in source code efficiently. The AI architecture is an Attention Fusion model, that combines the effectiveness of recurrent, convolutional and self-attention networks towards decoding the vulnerability hotspots in code. Utilizing the code AST structure, our model builds an accurate understanding of code semantics with a lot less learnable parameters. Besides a novel way of efficiently detecting code vulnerability, an additional novelty in this model is to exactly point to the code sections, which were deemed vulnerable by the model. Thus helping a developer to quickly focus on the vulnerable code sections; and this becomes the "explainable" part of the vulnerability detection. The proposed AI achieves 98.40 specific CWEs from the benchmarked NIST SARD dataset and compares well with state of the art.


Deep-Learning-based Vulnerability Detection in Binary Executables

The identification of vulnerabilities is an important element in the sof...

CVEfixes: Automated Collection of Vulnerabilities and Their Fixes from Open-Source Software

Data-driven research on the automated discovery and repair of security v...

Vulnerable Source Code Detection using SonarCloud Code Analysis

In Software Development Life Cycle (SDLC), security vulnerabilities are ...

The Race to the Vulnerable: Measuring the Log4j Shell Incident

The critical remote-code-execution (RCE) Log4Shell is a severe vulnerabi...

Probing Model Signal-Awareness via Prediction-Preserving Input Minimization

This work explores the signal awareness of AI models for source code und...

Against Algorithmic Exploitation of Human Vulnerabilities

Decisions such as which movie to watch next, which song to listen to, or...

V-Fuzz: Vulnerability-Oriented Evolutionary Fuzzing

Fuzzing is a technique of finding bugs by executing a software recurrent...

Please sign up or login with your details

Forgot password? Click here to reset