ISVSF: Intelligent Vulnerability Detection Against Java via Sentence-Level Pattern Exploring

Abstract

When software vulnerabilities threaten the security of users, new research on approaches to reduce security vulnerabilities must be explored. The development of deep learning has opened up the era of automatic code vulnerability detection, extricated humans from multifarious pattern definition, and feature selection. However, existing deep learning based vulnerability detection schemes are still in their early stage, most of them adopted token-level representing schemes, losing the logical information above token level and resulting in the narrowing of differences between codes. They always had low accuracy and high false positive rate. In addition, it is noticed that most code vulnerability detection methods focused on C/C++, and little work can be found on Java. In light of this, we propose an intelligent sentence-level vulnerability self-detection framework (ISVSF), which considers the syntax characteristics of Java and adopts sentence-level method representation and pattern exploration. Experimental results demonstrate that the ISVSF outperforms the existing token-level vulnerability detection schemes in terms of accuracy, false positive rate, detection time, etc. In addition, fast and strong vulnerability feature extraction enables ISVSF to learn vulnerability-related features quickly and achieve high accuracy with providing little training samples, thereby reducing the demand for training dataset effectively.