Browse > Article
http://dx.doi.org/10.13089/JKIISC.2020.30.4.735

Application of Machine Learning Techniques for the Classification of Source Code Vulnerability  

Lee, Won-Kyung (Sungshin University)
Lee, Min-Ju (Sungshin University)
Seo, DongSu (Sungshin University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.30, no.4, 2020 , pp. 735-743 More about this Journal
Abstract
Secure coding is a technique that detects malicious attack or unexpected errors to make software systems resilient against such circumstances. In many cases secure coding relies on static analysis tools to find vulnerable patterns and contaminated data in advance. However, secure coding has the disadvantage of being dependent on rule-sets, and accurate diagnosis is difficult as the complexity of static analysis tools increases. In order to support secure coding, we apply machine learning techniques, such as DNN, CNN and RNN to investigate into finding major weakness patterns shown in secure development coding guides and present machine learning models and experimental results. We believe that machine learning techniques can support detecting security weakness along with static analysis techniques.
Keywords
Secure Coding; Static Analysis; Machine Learning;
Citations & Related Records
연도 인용수 순위
  • Reference
1 R. Russell, L. Kim, L. Hamilton, T. Lazovich, J. Harer, O. Ozdemir, P. Ellingwood, and M. McConley, "Automated vulnerability detection in source code using deep representation learning," 2018 17th IEEE International Conference on Machine Learning and Applications (ICMLA), IEEE, pp. 757-762, Dec. 2018
2 B. Kolosnjaji, A. Zarras, G. Webster, and C. Eckert, "Deep learning for classification of malware system call sequences," Australasian Joint Conference on Artificial Intelligence, Springer, Cham, pp. 137-149, Nov. 2016.
3 L. Zhen, Z. Deqing, X. Shouhuai, O. Xinyu, J. Hai, W. Sujuan, D. Zhijun, and Z. Yuyi, "Vuldeepecker : a deep learning-based system for vulnerability detection," Proceedings 2018 Network and Distributed System Security Symposium, 2018, Jan. 2018.
4 B. Chess, and J. West, Secure programming with static analysis, Pearson Education, Jun. 2007
5 Y. Kim, "Convolutional neural networks for sentence classification," Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNL), 2014, pp. 1746-1751, Aug. 2014
6 S. Christey, and R.A. Martin, "Vulnerability type distributions in cve," Mitre report, May. 2007
7 J. Williams, and D. Wichers, "The ten most critical web application security risks," rc1, OWASP Foundation, 2017
8 W.K. Lee, "A study on detection and classification of security vulnerabilities based on machine learning," MSc Thesis, Sungshin University, Aug. 2018
9 V. Barstad, M Goodwin, and T Gjoseter, "Predicting source code quality with static analysis and machine learning," Norsk IKT-konferanse for forskning og utdanning, Jan. 2015.
10 R. Nallapati, B. Zhou, C.N. santos , C. Gulcehre, and B. Xiang. "Abstractive text summarization using sequence-to-sequence rnns and beyond," Proceedings of The 20th SIGNLL Conference on Computational Natural Language Learning, 2016, pp. 280-290, 2016
11 Ministry of the Interior and Safety and Korea Internet & Security Agency, "Development security guide for sw developers and operators of e-government," 11-1311000-000330-10, Jan. 2017
12 Y. Tom, H. Devamanyu, P. Soujanya, and C. Erik, "Recent trends in deep learning based natural language processing," IEEE Computational Intelligence Magazine, vol. 13, no. 3, pp. 55-75, Aug. 2018   DOI
13 X. Chen, H. Ma, J. Wan, B. Li, and T. Xia, "Multi view 3D object detection network for autonomous driving," 2017 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), pp. 6526-6534, July. 2017.
14 J. Wang, Y Ma, L. Zhang, R.X. Gao, and D. Wu, "Deep learning for smart manufacturing: methods and applications," Journal of Manufacturing Systems, vol. 48, part C, pp. 144-156, Jan. 2018.   DOI
15 V.B. Livshits and M.S Lam, "Finding security vulnerabilities in java applications with static analysis," Proceedings of the 14th conference on USENIX Security Symposium, vol. 14, pp. 18-18, Aug. 2005.
16 Y.W. Huang, F. Yu, C. Hang, C.H. Tsai, D.T. Lee, and S.Y. Kuo, "Securing web application code by static analysis and runtime protection," Proceedings of the 13th international conference on World Wide Web, pp. 40-52, May. 2004.
17 A.M. Delaiter, B.C. Stivalet, P.E. Black, V. Okun, T.S. Cohen, and A. Ribeiro, "Sate v report: ten years of static analysis tool expositions," No. Special Publication, (NIST SP)-500-326, 2018