A Lightweight Assisted Vulnerability Discovery Method Using Deep Neural Networks

Abstract

Thousands of vulnerabilities are discovered in programs every day, which is extremely harmful to software security. Thus, discovering vulnerabilities in projects has become a central issue. Facing a sustained growth of software complexity and large code size, manual code auditing becomes time-consuming and labor-intensive. With more open source programs available and a high degree of code formalization, it is possible to study features from source code to guide vulnerability discovery work. In this paper, we present a lightweight-assisted vulnerability discovery method using a deep neural network (LAVDNN) to detect weakness and to provide guidance for manual auditing. The method proposed in this paper leverages function names as semantics features to uncover weak functions in large-scale open source programs. First, we extract function names and classify into weak and benign datasets. Then, we construct deep neural networks and compare the performances of different models. According to the experimental results, our method performs well for both C/C++ and Python programs, with the F2 -score reaching 0.91 and 0.915, respectively. Ultimately, we evaluate the method by comparing with other approaches using the libraries FFmpeg 0.6 and LibTIFF 4.0.6. The results show that the LAVDNN could narrow the range of functions to be analyzed and report more weak functions without any prior vulnerability information. As a lightweight-assisted tool, the LAVDNN significantly reduces the false positive rate and hardly misses weak functions.