Abstract
Software Vulnerability Detection(SVD) is a important means to ensure system security due to the ubiquity of software. Deep learning-based approaches achieve state-of-the-art performance in SVD but one of the most crucial issues is coping with the scarcity of labeled data in projects to be detected. One reliable solution is to employ transfer learning skills to leverage labeled data from other software projects. However, existing cross-project approaches only focused on detecting whether the function code is vulnerable or not. The requirement to identify vulnerability types is essential because it offers information to patch the vulnerabilities. Our aim in this paper is to propose the first system for cross-project multiclass vulnerability classification. We detect at the granularity of code snippet, which is finer-grained compare to function and effective to catch inter-procedure vulnerability patterns. After generating code snippets, we define several principles to extract snippet attentions and build a deep model to obtain the fused deep features; We then extend different domain adaptation approaches to reduce feature distributions of different projects. Experimental results indicate that our system outperforms other state-of-the-art systems.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
“CVE”. https://cve.mitre.org/
“NVD”. https://nvd.nist.gov/
“Checkmarx” (2019). https://www.checkmarx.com/
Xu, Z., Chen, B., Chandramohan, M., Liu, Y., Song, F.: Spain: security patch analysis for binaries towards understanding the pain and pills. In: IEEE/ACM 39th International Conference on Software, Engineering (ICSE), pp. 462–472, IEEE (2017)
Li, Y., et al.: Cerebro: context-aware adaptive fuzzing for effective vulnerability detection. In: Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2019, pp. 533–544 (2019)
Chen, H., et al.: Hawkeye: towards a desired directed grey-box fuzzer. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pp. 2095–2108 (2018)
Li, Z., et al.: Vuldeepecker: a deep learning-based system for vulnerability detection. arXiv preprint arXiv:1801.01681 (2018)
Zou, D., Wang, S., Xu, S., Li, Z., Jin, H.: uvuldeepecker: a deep learning-based system for multiclass vulnerability detection. IEEE Transactions on Dependable and Secure Computing (2019)
Li, Z., Zou, D., Xu, S., Jin, H., Zhu, Y., Chen, Z.: Sysevr: a framework for using deep learning to detect software vulnerabilities. IEEE Trans. Dependable Secure Comput. 19(4), 2244–2258 (2021)
Duan, X., et al.: Vulsniper: focus your attention to shoot fine-grained vulnerabilities. In: Proceedings of the Twenty Eighth International Joint Conference on Artificial Intelligence, IJCAI-19, pp. 4665–4671 (2019)
Zhu, C., Du, G., Wu, T., Cui, N., Chen, L., Shi, G.: BERT-based vulnerability type identification with effective program representation. In: Wang, L., Segal, M., Chen, J., Qiu, T. (eds.) Wireless Algorithms, Systems, and Applications: 17th International Conference, WASA 2022, Dalian, China, November 24–26, 2022, Proceedings, Part I, pp. 271–282. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-19208-1_23
Lin, G., Zhang, J., Luo, W., Pan, L., Xiang, Y.: Poster: vulnerability discovery with function representation learning from unlabeled projects. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS), pp. 2539–2541. ACM (2017)
Lin, G., et al.: Software vulnerability discovery via learning multi-domain knowledge bases. IEEE Trans. Dependable Secure Comput. 18(5), 2469–2485 (2019)
Nguyen, V., Le, T., de Vel, O., Montague, P., Grundy, J., Phung, D.: Dual-component deep domain adaptation: a new approach for cross project software vulnerability detection. In: Lauw, H.W., Wong, R.C.-W., Ntoulas, A., Lim, E.-P., Ng, S.-K., Pan, S.J. (eds.) PAKDD 2020. LNCS (LNAI), vol. 12084, pp. 699–711. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-47426-3_54
Liu, S., et al.: CD-VulD: cross-domain vulnerability discovery based on deep domain adaptation. IEEE Trans. Dependable Secure Comput. 19(1), 438–451 (2022)
Donahue, J., et al.: Decaf: a deep convolutional activation feature for generic visual recognition. In: International Conference On Machine Learning, pp. 647–655 (2014)
Behera, A., Wharton, Z., Hewage, P.R., Bera, A.: Context-aware Attentional Pooling (CAP) for Fine-grained Visual Classification. In: Proceedings of the AAAI Conference on Artificial Intelligence, pp. 929–937 (2021)
“Joern”. https://joern.io/
“Common Weakness Enumeration”. https://cwe.mitre.org/
“Word2vec”. http://radimrehurek.com/gensim/models/word2vec.html
Sun, B., Feng, J., Saenko, K.: Return of frustratingly easy domain adaptation. In: AAAI, vol. 6, p. 8 (2016)
Xu, Y., et al.: A unified framework for metric transfer learning. IEEE Trans. Knowl. Data Eng. 29(6), 1158–1171 (2017)
Model evaluation metrics (2019). https://scikit-learn.org/stable/modules/modelevaluation.html#model-evaluation
Acknowledgment
This work is partially supported by the National Natural Science Foundation of China (No. 62172407), and the Youth Innovation Promotion Association CAS.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Du, G., Chen, L., Wu, T., Zhu, C., Shi, G. (2024). Identify Vulnerability Types: A Cross-Project Multiclass Vulnerability Classification System Based on Deep Domain Adaptation. In: Luo, B., Cheng, L., Wu, ZG., Li, H., Li, C. (eds) Neural Information Processing. ICONIP 2023. Lecture Notes in Computer Science, vol 14452. Springer, Singapore. https://doi.org/10.1007/978-981-99-8076-5_35
Download citation
DOI: https://doi.org/10.1007/978-981-99-8076-5_35
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8075-8
Online ISBN: 978-981-99-8076-5
eBook Packages: Computer ScienceComputer Science (R0)