Automatic feature learning for predicting vulnerable software components

Hoa Khanh Dam, Truyen Tran, Trang Thi Minh Pham, Shien Wee Ng, John Grundy, Aditya Ghose

Research output: Contribution to journalArticleResearchpeer-review

Abstract

Code flaws or vulnerabilities are prevalent in software systems and can potentially cause a variety of problems including deadlock, hacking, information loss and system failure. A variety of approaches have been developed to try and detect the most likely locations of such code vulnerabilities in large code bases. Most of them rely on manually designing code features (e.g. complexity metrics or frequencies of code tokens) that represent the characteristics of the potentially problematic code to locate. However, all suffer from challenges in sufficiently capturing both semantic and syntactic representation of source code, an important capability for building accurate prediction models. In this paper, we describe a new approach, built upon the powerful deep learning Long Short Term Memory model, to automatically learn both semantic and syntactic features of code. Our evaluation on 18 Android applications and the Firefox application demonstrates that the prediction power obtained from our learned features is better than what is achieved by state of the art vulnerability prediction models, for both within-project prediction and cross-project prediction.

Original languageEnglish
Number of pages19
JournalIEEE Transactions on Software Engineering
DOIs
Publication statusAccepted/In press - 2019

Keywords

  • Empirical software engineering
  • Feature extraction
  • Mining software engineering repositories
  • Predictive models
  • Security
  • Semantics
  • Software systems
  • Software vulnerability prediction
  • System recovery

Cite this

Dam, Hoa Khanh ; Tran, Truyen ; Pham, Trang Thi Minh ; Ng, Shien Wee ; Grundy, John ; Ghose, Aditya. / Automatic feature learning for predicting vulnerable software components. In: IEEE Transactions on Software Engineering. 2019.
@article{59ff5562bfdc4af583aadf12d4b251ae,
title = "Automatic feature learning for predicting vulnerable software components",
abstract = "Code flaws or vulnerabilities are prevalent in software systems and can potentially cause a variety of problems including deadlock, hacking, information loss and system failure. A variety of approaches have been developed to try and detect the most likely locations of such code vulnerabilities in large code bases. Most of them rely on manually designing code features (e.g. complexity metrics or frequencies of code tokens) that represent the characteristics of the potentially problematic code to locate. However, all suffer from challenges in sufficiently capturing both semantic and syntactic representation of source code, an important capability for building accurate prediction models. In this paper, we describe a new approach, built upon the powerful deep learning Long Short Term Memory model, to automatically learn both semantic and syntactic features of code. Our evaluation on 18 Android applications and the Firefox application demonstrates that the prediction power obtained from our learned features is better than what is achieved by state of the art vulnerability prediction models, for both within-project prediction and cross-project prediction.",
keywords = "Empirical software engineering, Feature extraction, Mining software engineering repositories, Predictive models, Security, Semantics, Software systems, Software vulnerability prediction, System recovery",
author = "Dam, {Hoa Khanh} and Truyen Tran and Pham, {Trang Thi Minh} and Ng, {Shien Wee} and John Grundy and Aditya Ghose",
year = "2019",
doi = "10.1109/TSE.2018.2881961",
language = "English",
journal = "IEEE Transactions on Software Engineering",
issn = "0098-5589",
publisher = "Publ by IEEE",

}

Automatic feature learning for predicting vulnerable software components. / Dam, Hoa Khanh; Tran, Truyen; Pham, Trang Thi Minh; Ng, Shien Wee; Grundy, John; Ghose, Aditya.

In: IEEE Transactions on Software Engineering, 2019.

Research output: Contribution to journalArticleResearchpeer-review

TY - JOUR

T1 - Automatic feature learning for predicting vulnerable software components

AU - Dam, Hoa Khanh

AU - Tran, Truyen

AU - Pham, Trang Thi Minh

AU - Ng, Shien Wee

AU - Grundy, John

AU - Ghose, Aditya

PY - 2019

Y1 - 2019

N2 - Code flaws or vulnerabilities are prevalent in software systems and can potentially cause a variety of problems including deadlock, hacking, information loss and system failure. A variety of approaches have been developed to try and detect the most likely locations of such code vulnerabilities in large code bases. Most of them rely on manually designing code features (e.g. complexity metrics or frequencies of code tokens) that represent the characteristics of the potentially problematic code to locate. However, all suffer from challenges in sufficiently capturing both semantic and syntactic representation of source code, an important capability for building accurate prediction models. In this paper, we describe a new approach, built upon the powerful deep learning Long Short Term Memory model, to automatically learn both semantic and syntactic features of code. Our evaluation on 18 Android applications and the Firefox application demonstrates that the prediction power obtained from our learned features is better than what is achieved by state of the art vulnerability prediction models, for both within-project prediction and cross-project prediction.

AB - Code flaws or vulnerabilities are prevalent in software systems and can potentially cause a variety of problems including deadlock, hacking, information loss and system failure. A variety of approaches have been developed to try and detect the most likely locations of such code vulnerabilities in large code bases. Most of them rely on manually designing code features (e.g. complexity metrics or frequencies of code tokens) that represent the characteristics of the potentially problematic code to locate. However, all suffer from challenges in sufficiently capturing both semantic and syntactic representation of source code, an important capability for building accurate prediction models. In this paper, we describe a new approach, built upon the powerful deep learning Long Short Term Memory model, to automatically learn both semantic and syntactic features of code. Our evaluation on 18 Android applications and the Firefox application demonstrates that the prediction power obtained from our learned features is better than what is achieved by state of the art vulnerability prediction models, for both within-project prediction and cross-project prediction.

KW - Empirical software engineering

KW - Feature extraction

KW - Mining software engineering repositories

KW - Predictive models

KW - Security

KW - Semantics

KW - Software systems

KW - Software vulnerability prediction

KW - System recovery

UR - http://www.scopus.com/inward/record.url?scp=85056740888&partnerID=8YFLogxK

U2 - 10.1109/TSE.2018.2881961

DO - 10.1109/TSE.2018.2881961

M3 - Article

JO - IEEE Transactions on Software Engineering

JF - IEEE Transactions on Software Engineering

SN - 0098-5589

ER -