A deep learning‐based approach for software vulnerability detection using code metrics

Abstract

Vulnerabilities can have devastating effects on information security, affecting the economy, social stability, and national security. The idea of automatic vulnerability detection has always attracted researchers. From traditional manual vulnerability mining techniques to static and dynamic detection, all rely on human experts for feature definition. The rapid development of machine learning and deep learning has alleviated the tedious task of manually defining features by human experts while reducing the lack of objectivity caused by human subjective awareness. However, it is still necessary to find an objective characterisation method to define the features of vulnerabilities. Therefore, the authors use code metrics for code characterisation, sequences of metrics representing code. To use code metrics for vulnerability detection, a deep learning-based vulnerability detection approach that uses a composite neural network of convolutional neural network (CNN) with long short-term memory (LSTM) is proposed. The authors conduct experiments independently using the proposed approach for CNN-LSTM CNN, LSTM, gated recurrent units (GRU), and deep neural network (DNN). The authors’ experimental results show that CNN-LSTM has a high precision of 92%, a recall of 99%, and an accuracy of 91%. In terms of the F1-score, it is 95%, compared to previous research results, which indicated an improvement of 18%. Compared to other deep learning-based vulnerability detection models, the authors’ proposed model produced a lower false-positive rate, a lower miss rate, and improved accuracy.