A team of researchers from R&D company Draper and Boston University developed a new large-scale vulnerability detection system using machine learning algorithms, which could help to discover software vulnerabilities faster and more efficiently.
Hackers and malicious users are constantly coming up with new ways to compromise IT systems and applications, typically by exploiting software security vulnerabilities. Software vulnerabilities are small errors made by the programmers who developed a system that can propagate quickly, especially through open-source software or through code reuse and adaptation.
Every year, thousands of these vulnerabilities are publicly reported to the Common Vulnerabilities and Exposures database (CVE), while many others are spotted and patched internally by developers. If they are not adequately addressed, these vulnerabilities can be exploited by attackers, often with devastating effects, as proved in many recent high-profile exploits, such as the Heartbleed bug and the WannaCry ramsomware cryptoworm.
Generally, existing tools to analyze programs can only detect a limited number of potential errors, which are based on predefined rules. However, the widespread use of open-source repositories has opened new possibilities for the development of techniques that could reveal code vulnerability patterns.
The researchers from Draper and Boston have developed a new vulnerability detection tool that uses machine learning for automated detection of vulnerabilities in C/C++ source code, which has already showed promising results.
The team compiled a large dataset with millions of open-source functions and labeled it using three static (pre-runtime) analysis tools, namely Clang, Cppcheck and Flawfinder, which are designed to identify potential exploits. Their dataset included millions of function-level examples of C and C++ code drawn from the SATEIV Juliet Test Suite, Debian Linux distribution, and public Git repositories on GitHub.
"Using these datasets, we developed a fast and scalable vulnerability detection tool based on deep feature representation learning that directly interprets lexed source code," the researchers wrote in their paper.
As programming languages are in some ways similar to human languages, the researchers designed a vulnerability detection technique that uses natural language processing (NLP), an AI strategy that allows computers to understand and interpret human language.
"We leverage feature-extraction approaches similar to those used for sentence sentiment classification with convolutional neural networks (CNNs) and recurrent neural networks (RNNs) for function-level source vulnerability classification," the researchers explained in their paper.
They combined NLP with random forest (RM); a powerful algorithm that creates an ensemble of decision trees from randomly selected subsets of the training dataset and then merges them together, generally achieving more accurate predictions.
The researchers tested their tool on both real software packages and the NIST STATE IV benchmark dataset.
"Our results demonstrate that deep feature representation learning on source code is a promising approach for automated software vulnerability detection," they wrote. "We applied a variety of ML techniques inspired by classification problems in the natural language domain, fine-tuned them for our application, and achieved the best overall results using features learned via convolutional neural network and classified with an ensemble tree algorithm."
So far, their work has focused on C/C++ code, but their method could also be applied to any other programming language. They specifically chose to create a custom C/C++ lexer as this would produce a simple and generic representation of function source code, which is ideal for machine learning training.