$μ$VulDeePecker: A Deep Learning-Based System for Multiclass Vulnerability Detection (2001.02334v1)

Abstract: Fine-grained software vulnerability detection is an important and challenging problem. Ideally, a detection system (or detector) not only should be able to detect whether or not a program contains vulnerabilities, but also should be able to pinpoint the type of a vulnerability in question. Existing vulnerability detection methods based on deep learning can detect the presence of vulnerabilities (i.e., addressing the binary classification or detection problem), but cannot pinpoint types of vulnerabilities (i.e., incapable of addressing multiclass classification). In this paper, we propose the first deep learning-based system for multiclass vulnerability detection, dubbed $\mu$VulDeePecker. The key insight underlying $\mu$VulDeePecker is the concept of code attention, which can capture information that can help pinpoint types of vulnerabilities, even when the samples are small. For this purpose, we create a dataset from scratch and use it to evaluate the effectiveness of $\mu$VulDeePecker. Experimental results show that $\mu$VulDeePecker is effective for multiclass vulnerability detection and that accommodating control-dependence (other than data-dependence) can lead to higher detection capabilities.

Analysis of $\mu$VulDeePecker: A Multiclass Vulnerability Detection Framework

The paper presents $\mu$VulDeePecker, an advanced system designed to address the limitations of existing deep learning-based vulnerability detection methods. Unlike conventional approaches that primarily focus on binary classification—deciding whether a program segment is vulnerable or not—$\mu$VulDeePecker offers multiclass vulnerability detection, identifying specific types of vulnerabilities within code segments. This advancement is particularly beneficial for software developers and security analysts, as it reduces manual labor in pinpointing vulnerability specifics.

Key Innovations

$\mu$VulDeePecker is built upon several conceptual advancements:

1. Code Attention: This innovation captures localized information within code, such as arguments in function calls and control statements, which aids in recognizing specific vulnerabilities. It refines the notion of code gadget by emphasizing local features that are indicative of vulnerability types.
2. Comprehensive Data and Control Dependence: The system incorporates both data- and control-dependence relations in code gadgets to enhance detection capabilities. This approach results in capturing a more holistic view of the code's operational context, thus improving vulnerability detection accuracy.
3. Neural Network Architecture: The architecture employs Bidirectional Long-Short Time Memory (BLSTM) networks to extract both global and local features from code gadgets and attentions. The fusion of these features empowers the network to handle multiclass detection by providing a nuanced understanding of varied vulnerabilities.

Experimental Results

The authors conduct extensive empirical studies using a newly created dataset, Multiclass Vulnerability Dataset (MVD), comprising 40 vulnerability types from the third level of the CWE-ID tree:

• Improved Multiclass Detection: $\mu$VulDeePecker significantly outperforms a modified version of VulDeePecker, dubbed VulDeePecker+, across various metrics (e.g., M_FNR and M_F1). This improvement is largely attributed to code attention's ability to capture detailed semantics specific to vulnerability types.
• Contribution of Control-Dependence: Experiments demonstrate that including control-dependence substantially enhances detection capabilities, reducing false negatives and increasing detection precision.
• Real-World Application: When applied to real-world software products, $\mu$VulDeePecker successfully discovered vulnerabilities, including two previously unknown issues, highlighting its practical applicability.

Implications and Future Directions

The introduction of multiclass vulnerability detection marks significant progress in utilizing AI for cybersecurity:

• Practical Integration: Implementing such systems can notably improve vulnerability management workflows by providing detailed insights into vulnerability types, thereby expediting patching processes.
• Cross-Project Applications: Exploring cross-project vulnerability detection, as also suggested by related works, could facilitate broader adoption in diverse development environments.

Nevertheless, $\mu$VulDeePecker primarily targets C/C++ vulnerabilities related to library/API function calls, leaving room for expansion:

• Generalization: Future research should focus on adapting this framework to other programming languages and vulnerability types, ensuring broader applicability in modern software ecosystems.
• Granularity of Detection: Further innovations should aim at narrowing down vulnerability detection granularity to isolate specific statements within code gadgets, thus reducing false positives and enhancing result precision.

In conclusion, $\mu$VulDeePecker stands as a promising leap forward in AI-driven vulnerability detection, offering substantial enhancements in multiclass classification accuracy and practical effectiveness. Its architectural innovations and experimental validations pave the way for future advancements in software security automation.