Information-theoretic source code vulnerability highlighting

Van Nguyen; Trung Le; Olivier De Vel; Paul Montague; John Grundy; Dinh Phung

doi:10.1109/IJCNN52387.2021.9533907

Information-theoretic source code vulnerability highlighting

Van Nguyen, Trung Le, Olivier De Vel, Paul Montague, John Grundy, Dinh Phung

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

20 Citations (Scopus)

Abstract

Software vulnerabilities are a crucial and serious concern in the software industry and computer security. A variety of methods have been proposed to detect vulnerabilities in real-world software. Recent methods based on deep learning approaches for automatic feature extraction have improved software vulnerability identification compared with machine learning approaches based on hand-crafted feature extraction. However, these methods can usually only detect software vulnerabilities at a function or program level, which is much less informative because, out of hundreds (thousands) of code statements in a program or function, only a few core statements contribute to a software vulnerability. This requires us to find a way to detect software vulnerabilities at a fine-grained level. In this paper, we propose a novel method based on the concept of mutual information that can help us to detect and isolate software vulnerabilities at a fine-grained level (i.e., several statements that are highly relevant to a software vulnerability that include the core vulnerable statements) in both unsupervised and semi-supervised contexts. We conduct comprehensive experiments on real-world software projects to demonstrate that our proposed method can detect vulnerabilities at a fine-grained level by identifying several statements that mostly contribute to the vulnerability detection decision.

Original language	English
Title of host publication	2021 International Joint Conference on Neural Networks (IJCNN 2021)
Editors	Zeng-Guang Hou
Place of Publication	Piscataway NJ USA
Publisher	IEEE, Institute of Electrical and Electronics Engineers
Pages	4823-4830
Number of pages	8
ISBN (Electronic)	9780738133669, 9781665439008
ISBN (Print)	9781665445979
DOIs	https://doi.org/10.1109/IJCNN52387.2021.9533907
Publication status	Published - 2021
Event	IEEE International Joint Conference on Neural Networks 2021 - Online, Shenzhen, China Duration: 18 Jul 2021 → 22 Jul 2021 https://ieeexplore.ieee.org/xpl/conhome/9533266/proceeding (Proceedings)

Publication series

Name	Proceedings of the International Joint Conference on Neural Networks
Publisher	IEEE, Institute of Electrical and Electronics Engineers
Volume	2021-July

Conference

Conference	IEEE International Joint Conference on Neural Networks 2021
Abbreviated title	IJCNN 2021
Country/Territory	China
City	Shenzhen
Period	18/07/21 → 22/07/21
Internet address	https://ieeexplore.ieee.org/xpl/conhome/9533266/proceeding (Proceedings)

Access to Document

10.1109/IJCNN52387.2021.9533907

Cite this

Nguyen, V., Le, T., De Vel, O., Montague, P., Grundy, J., & Phung, D. (2021). Information-theoretic source code vulnerability highlighting. In Z.-G. Hou (Ed.), 2021 International Joint Conference on Neural Networks (IJCNN 2021) (pp. 4823-4830). (Proceedings of the International Joint Conference on Neural Networks; Vol. 2021-July). IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/IJCNN52387.2021.9533907

Nguyen, Van ; Le, Trung ; De Vel, Olivier et al. / Information-theoretic source code vulnerability highlighting. 2021 International Joint Conference on Neural Networks (IJCNN 2021). editor / Zeng-Guang Hou. Piscataway NJ USA : IEEE, Institute of Electrical and Electronics Engineers, 2021. pp. 4823-4830 (Proceedings of the International Joint Conference on Neural Networks).

@inproceedings{ff564715a78d4f5fa768640c5b23aba0,

title = "Information-theoretic source code vulnerability highlighting",

abstract = "Software vulnerabilities are a crucial and serious concern in the software industry and computer security. A variety of methods have been proposed to detect vulnerabilities in real-world software. Recent methods based on deep learning approaches for automatic feature extraction have improved software vulnerability identification compared with machine learning approaches based on hand-crafted feature extraction. However, these methods can usually only detect software vulnerabilities at a function or program level, which is much less informative because, out of hundreds (thousands) of code statements in a program or function, only a few core statements contribute to a software vulnerability. This requires us to find a way to detect software vulnerabilities at a fine-grained level. In this paper, we propose a novel method based on the concept of mutual information that can help us to detect and isolate software vulnerabilities at a fine-grained level (i.e., several statements that are highly relevant to a software vulnerability that include the core vulnerable statements) in both unsupervised and semi-supervised contexts. We conduct comprehensive experiments on real-world software projects to demonstrate that our proposed method can detect vulnerabilities at a fine-grained level by identifying several statements that mostly contribute to the vulnerability detection decision.",

author = "Van Nguyen and Trung Le and {De Vel}, Olivier and Paul Montague and John Grundy and Dinh Phung",

note = "Funding Information: Acknowledgement: This research was supported under the Defence Science and Technology Group{\textquoteright}s Next Generation Technologies Program. Publisher Copyright: {\textcopyright} 2021 IEEE. Copyright: Copyright 2021 Elsevier B.V., All rights reserved.; IEEE International Joint Conference on Neural Networks 2021, IJCNN 2021 ; Conference date: 18-07-2021 Through 22-07-2021",

year = "2021",

doi = "10.1109/IJCNN52387.2021.9533907",

language = "English",

isbn = "9781665445979",

series = "Proceedings of the International Joint Conference on Neural Networks",

publisher = "IEEE, Institute of Electrical and Electronics Engineers",

pages = "4823--4830",

editor = "Zeng-Guang Hou",

booktitle = "2021 International Joint Conference on Neural Networks (IJCNN 2021)",

address = "United States of America",

url = "https://ieeexplore.ieee.org/xpl/conhome/9533266/proceeding",

}

Nguyen, V , Le, T, De Vel, O, Montague, P, Grundy, J & Phung, D 2021, Information-theoretic source code vulnerability highlighting. in Z-G Hou (ed.), 2021 International Joint Conference on Neural Networks (IJCNN 2021). Proceedings of the International Joint Conference on Neural Networks, vol. 2021-July, IEEE, Institute of Electrical and Electronics Engineers, Piscataway NJ USA, pp. 4823-4830, IEEE International Joint Conference on Neural Networks 2021, Shenzhen, China, 18/07/21. https://doi.org/10.1109/IJCNN52387.2021.9533907

Information-theoretic source code vulnerability highlighting. / Nguyen, Van ; Le, Trung; De Vel, Olivier et al.
2021 International Joint Conference on Neural Networks (IJCNN 2021). ed. / Zeng-Guang Hou. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers, 2021. p. 4823-4830 (Proceedings of the International Joint Conference on Neural Networks; Vol. 2021-July).

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Information-theoretic source code vulnerability highlighting

AU - Nguyen, Van

AU - Le, Trung

AU - De Vel, Olivier

AU - Montague, Paul

AU - Grundy, John

AU - Phung, Dinh

N1 - Funding Information: Acknowledgement: This research was supported under the Defence Science and Technology Group’s Next Generation Technologies Program. Publisher Copyright: © 2021 IEEE. Copyright: Copyright 2021 Elsevier B.V., All rights reserved.

PY - 2021

Y1 - 2021

N2 - Software vulnerabilities are a crucial and serious concern in the software industry and computer security. A variety of methods have been proposed to detect vulnerabilities in real-world software. Recent methods based on deep learning approaches for automatic feature extraction have improved software vulnerability identification compared with machine learning approaches based on hand-crafted feature extraction. However, these methods can usually only detect software vulnerabilities at a function or program level, which is much less informative because, out of hundreds (thousands) of code statements in a program or function, only a few core statements contribute to a software vulnerability. This requires us to find a way to detect software vulnerabilities at a fine-grained level. In this paper, we propose a novel method based on the concept of mutual information that can help us to detect and isolate software vulnerabilities at a fine-grained level (i.e., several statements that are highly relevant to a software vulnerability that include the core vulnerable statements) in both unsupervised and semi-supervised contexts. We conduct comprehensive experiments on real-world software projects to demonstrate that our proposed method can detect vulnerabilities at a fine-grained level by identifying several statements that mostly contribute to the vulnerability detection decision.

AB - Software vulnerabilities are a crucial and serious concern in the software industry and computer security. A variety of methods have been proposed to detect vulnerabilities in real-world software. Recent methods based on deep learning approaches for automatic feature extraction have improved software vulnerability identification compared with machine learning approaches based on hand-crafted feature extraction. However, these methods can usually only detect software vulnerabilities at a function or program level, which is much less informative because, out of hundreds (thousands) of code statements in a program or function, only a few core statements contribute to a software vulnerability. This requires us to find a way to detect software vulnerabilities at a fine-grained level. In this paper, we propose a novel method based on the concept of mutual information that can help us to detect and isolate software vulnerabilities at a fine-grained level (i.e., several statements that are highly relevant to a software vulnerability that include the core vulnerable statements) in both unsupervised and semi-supervised contexts. We conduct comprehensive experiments on real-world software projects to demonstrate that our proposed method can detect vulnerabilities at a fine-grained level by identifying several statements that mostly contribute to the vulnerability detection decision.

UR - http://www.scopus.com/inward/record.url?scp=85116483111&partnerID=8YFLogxK

U2 - 10.1109/IJCNN52387.2021.9533907

DO - 10.1109/IJCNN52387.2021.9533907

M3 - Conference Paper

AN - SCOPUS:85116483111

SN - 9781665445979

T3 - Proceedings of the International Joint Conference on Neural Networks

SP - 4823

EP - 4830

BT - 2021 International Joint Conference on Neural Networks (IJCNN 2021)

A2 - Hou, Zeng-Guang

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - Piscataway NJ USA

T2 - IEEE International Joint Conference on Neural Networks 2021

Y2 - 18 July 2021 through 22 July 2021

ER -

Nguyen V , Le T, De Vel O, Montague P, Grundy J , Phung D. Information-theoretic source code vulnerability highlighting. In Hou ZG, editor, 2021 International Joint Conference on Neural Networks (IJCNN 2021). Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers. 2021. p. 4823-4830. (Proceedings of the International Joint Conference on Neural Networks). doi: 10.1109/IJCNN52387.2021.9533907

Information-theoretic source code vulnerability highlighting

Abstract

Publication series

Conference

Access to Document

Other files and links

Cite this