Commit-Level, Neural Vulnerability Detection and Assessment

Authors

Yi Li, New Jersey Institute of Technology
Aashish Yadavally, The University of Texas at Dallas
Jiaxing Zhang, New Jersey Institute of Technology
Shaohua Wang, New Jersey Institute of Technology
Tien N. Nguyen, The University of Texas at Dallas

Document Type

Conference Proceeding

Publication Date

11-30-2023

Abstract

Software Vulnerabilities (SVs) are security flaws that are exploitable in cyber-attacks. Delay in the detection and assessment of SVs might cause serious consequences due to the unknown impacts on the attacked systems. The state-of-the-art approaches have been proposed to work directly on the committed code changes for early detection. However, none of them could provide both commit-level vulnerability detection and assessment at once. Moreover, the assessment approaches still suffer low accuracy due to limited representations for code changes and surrounding contexts. We propose a Context-aware, Graph-based, Commit-level Vulnerability Detection and Assessment Model, VDA, that evaluates a code change, detects any vulnerability and provides the CVSS assessment grades. To build VDA, we have key novel components. First, we design a novel context-aware, graph-based, representation learning model to learn the contextualized embeddings for the code changes that integrate program dependencies and the surrounding contexts of code changes, facilitating the automated vulnerability detection and assessment. Second, VDA considers the mutual impact of learning to detect vulnerability and learning to assess each vulnerability assessment type. To do so, it leverages multi-task learning among the vulnerability detection and vulnerability assessment tasks, improving all the tasks at the same time. Our empirical evaluation shows that on a C vulnerability dataset, VDA achieves 25.5% and 26.9% relatively higher than the baselines in vulnerability assessment regarding F-score and MCC, respectively. In a Java dataset, it achieves 31% and 33.3% relatively higher than the baselines in F-score and MCC, respectively. VDA also relatively improves the vulnerability detection over the baselines from 13.4-322% in F-score.

Identifier

85180548960 (Scopus)

ISBN

[9798400703270]

Publication Title

Esec Fse 2023 Proceedings of the 31st ACM Joint Meeting European Software Engineering Conference and Symposium on the Foundations of Software Engineering

External Full Text Location

https://doi.org/10.1145/3611643.3616346

First Page

1024

Last Page

1036

Grant

CNS-2120386

Fund Ref

National Science Foundation

Recommended Citation

Li, Yi; Yadavally, Aashish; Zhang, Jiaxing; Wang, Shaohua; and Nguyen, Tien N., "Commit-Level, Neural Vulnerability Detection and Assessment" (2023). Faculty Publications. 1309.
https://digitalcommons.njit.edu/fac_pubs/1309