Skip to main content
SpringerLink
Log in

BERT-Based Vulnerability Type Identification with Effective Program Representation

  • Conference paper
  • First Online:
Wireless Algorithms, Systems, and Applications (WASA 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13471))

Abstract

Detecting vulnerabilities is essential to maintaining software security. At present, vulnerability detection based on deep learning has achieved remarkable results. The type of vulnerability could tell the vulnerability principles and help the programmer quickly pinpoint the precise location of vulnerabilities. Moreover, the type of vulnerability is very valuable for remediating it. Therefore, it is essential to identify vulnerability types. This paper proposes a new vulnerability type identification framework based on deep learning. The framework is based on syntax and semantics, and the detection granularity is fine to the slice level. To include comprehensive vulnerability types, we use four slicing methods to represent the program. In addition, we model four kinds of code slice features based on BERT. For evaluation, we used 64 three-level CWE-IDs vulnerability types in National Vulnerability Database (NVD) and Software Assurance Reference Dataset (SARD) for vulnerability type identification. The experimental results show that it has significant performance in vulnerability type identification.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Lin, G., Wen, S., Han, Q.L., Zhang, J., Xiang, Y.: Software vulnerability detection using deep neural networks: a survey. In: Proceedings of the IEEE, vol. 99, pp. 1–24 (2020)

    Google Scholar 

  2. Ghaffarian, S.M., Shahriari, H.R.: Software vulnerability analysis and discovery using machine-learning and data-mining techniques. ACM Comput. Surv. (CSUR) 50(4), 1–36 (2017)

    Article  Google Scholar 

  3. Yamaguchi, F., Wressnegger, C., Gascon, H., Rieck, K.: Chucky: exposing missing checks in source code for vulnerability discovery. In: ACM Conference on Computer and Communications Security (2013)

    Google Scholar 

  4. Grieco, G., Grinblat, G.L., Uzal, L., Rawat, S., Feist, J., Mounier, L.: Toward large-scale vulnerability discovery using machine learning. In: ACM (2016)

    Google Scholar 

  5. Zhen, L., Zou, D., Xu, S., Ou, X., Zhong, Y.: Vuldeepecker: a deep learning-based system for vulnerability detection. In: Network and Distributed System Security Symposium (2018)

    Google Scholar 

  6. Zou, D., Wang, S., Xu, S., Li, Z., Jin, H.: \(\mu \)VulDeePecker: a deep learning-based system for multiclass vulnerability detection. arXiv e-prints (2020)

    Google Scholar 

  7. Lin, G., Zhang, J., Wei, J., Lei, L., Yang, P., Xiang, Y.: Cross-project transfer representation learning for vulnerable function discovery. IEEE Trans. Indust. Inform. 14, 3289–3297 (2018)

    Article  Google Scholar 

  8. Liu, S., et al.: CD-VULD: Cross-domain vulnerability discovery based on deep domain adaptation. IEEE Trans. Depend. Sec. Comput. vol. 99, p. 1 (2020)

    Google Scholar 

  9. Li, Z., Zou, D., Xu, S., Jin, H., Chen, Z.: SySeVR: a framework for using deep learning to detect software vulnerabilities. IEEE Trans. Depend. Sec. Comput. 99, 1 (2021)

    Google Scholar 

  10. Schuster, M., Nakajima, K.: Japanese and Korean voice search. In: 2012 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP) (2012)

    Google Scholar 

  11. Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: IEEE Symposium on Security and Privacy (2014)

    Google Scholar 

  12. Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: BERT: pre-training of deep bidirectional transformers for language understanding (2018)

    Google Scholar 

  13. Li, X., Gao, W., Feng, S., Zhang, Y., Wang, D.: Boundary detection with BERT for span-level emotion cause analysis. In: Findings of the Association for Computational Linguistics: ACL-IJCNLP 2021 (2021)

    Google Scholar 

  14. Padmanabhuni, B.M., Tan, H.: Buffer overflow vulnerability prediction from \(\times \)86 executables using static analysis and machine learning. In: Computer Software and Applications Conference 2015, pp. 450–459 (2015)

    Google Scholar 

  15. Li, Z., et al.: VulDeePecker: a deep learning-based system for vulnerability detection. arXiv preprint arXiv:1801.01681 (2018)

Download references

Acknowledgements

This work is partially supported by the National Natural Science Foundation of China (No. 62172407), and the Youth Innovation Promotion Association CAS.

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Chenguang Zhu, Gewangzi Du, Tongshuai Wu, Ningning Cui, Liwei Chen & Gang Shi

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Chenguang Zhu, Gewangzi Du, Tongshuai Wu, Ningning Cui, Liwei Chen & Gang Shi

Authors
  1. Chenguang Zhu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Gewangzi Du
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tongshuai Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ningning Cui
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Liwei Chen
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Gang Shi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Liwei Chen .

Editor information

Editors and Affiliations

  1. Dalian University of Technology, Dalian, China

    Lei Wang

  2. Ben-Gurion University of the Negev, Beer-Sheva, Israel

    Michael Segal

  3. Chang Gung University, Taiwan, China

    Jenhui Chen

  4. Tianjin University, Tianjin, China

    Tie Qiu

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zhu, C., Du, G., Wu, T., Cui, N., Chen, L., Shi, G. (2022). BERT-Based Vulnerability Type Identification with Effective Program Representation. In: Wang, L., Segal, M., Chen, J., Qiu, T. (eds) Wireless Algorithms, Systems, and Applications. WASA 2022. Lecture Notes in Computer Science, vol 13471. Springer, Cham. https://doi.org/10.1007/978-3-031-19208-1_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-19208-1_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-19207-4

  • Online ISBN: 978-3-031-19208-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation