AutoVAS: An automated vulnerability analysis system with a deep learning approach

Abstract

Owing to the advances in automated hacking and analysis technologies in recent years, numerous software security vulnerabilities have been announced. Software vulnerabilities are increasing rapidly, whereas methods to analyze and cope with them depend on manual analyses, which result in a slow response. In recent years, studies concerning the prediction of vulnerabilities or the detection of patterns of previous vulnerabilities have been conducted by applying deep learning algorithms in an automated vulnerability search based on source code. However, existing methods target only certain security vulnerabilities or make limited use of source code to compile information. Few studies have been conducted on methods that represent source code as an embedding vector. Thus, this study proposes a deep learning-based automated vulnerability analysis system (AutoVAS) that effectively represents source code as embedding vectors by using datasets from various projects in the National Vulnerability Database (NVD) and Software Assurance Reference Database (SARD). To evaluate AutoVAS, we present and share a dataset for deep learning models. Experimental results show that AutoVAS achieves a false negative rate (FNR) of 3.62%, a false positive rate (FPR) of 1.88%, and an F1-score of 96.11%, which represent lower FNR and FPR values than those achieved by other approaches. We further apply AutoVAS to nine open-source projects and detect eleven vulnerabilities, most of which are missed by the other approaches we experimented with. Notably, we discovered three zero-day vulnerabilities, two of which were patched after being informed by AutoVAS. The other vulnerability received the Common Vulnerabilities and Exposures (CVE) ID after being detected by AutoVAS.