VulDeBERT: A Vulnerability Detection System Using BERT

Kim, Soolin; Choi, Jusop; Ahmed, Muhammad Ejaz; Nepal, Surya; Kim, Hyoungshick

doi:10.1109/issrew55968.2022.00042

Cited by 22 publications

(12 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This approach is evaluated on binary and multi-class vulnerability detection tasks using different datasets (such as VulDeePecker, Draper, and REVEAL). VulDeBERT [25], is another DL-based vulnerability detection system for C and C++ source code based on BERT model. They created their own code gadget generation method to detect the vulnerabilities related to system function calls.…”

Section: ) Vulnerable Code Pattern Identification Techniquesmentioning

confidence: 99%

“…• We start by generating an AST for source code representation, then applying BERT tokenizer for code tokenization. [11], [23], [24], and [25] on the Software Assurance Reference Database (SARD) [26] dataset in terms of precision, recall, and F1-score, with 0.0% FNR which is the lowest amongst the rates reported in the literature. The paper is organized as follows: Section II presents the relevant background and the most related works.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

DB-CBIL: A DistilBert-Based Transformer Hybrid Model Using CNN and BiLSTM for Software Vulnerability Detection

Bahaa,

Kamal,

Fahmy

et al. 2024

IEEE Access

View full text Add to dashboard Cite

Software vulnerabilities are among the significant causes of security breaches. Vulnerabilities can severely compromise software security if exploited by malicious attacks and may result in catastrophic losses. Hence, Automatic vulnerability detection methods promise to mitigate attack risks and safeguard software security. This paper introduces a novel model for automatic vulnerability detection of source code vulnerabilities dubbed DB-CBIL using a hybrid deep learning model based on Distilled Bidirectional Encoder Representations from Transformers (DistilBERT). The proposed model considers contextualized word embeddings using the language model for the syntax and semantics of source code functions based on the Abstract Syntax Tree (AST) representation. The model includes two main phases. First, using a vulnerable code dataset, the pre-trained DistilBert transformer is fine-tuned for word embedding. Second, a hybrid deep learning model detects which code functions are vulnerable. The hybrid model is built on two Deep Neural Networks (DNN). The first model is the Convolutional Neural Network (CNN), which is used for extracting features. The second model is Bidirectional-LSTM (BiLSTM), which has been used to maintain the sequential order of the data as it can handle lengthy token sequences. The utilized source code dataset is derived from the Software Assurance Reference Database (SARD) benchmark dataset. Final experimental findings show that the proposed model outperforms the state-of-the-art approaches' performance by improving precision, recall, F1-score, and False Negative Rate (FNR) by 2.41%-8.95%, 4.0%-16.28%, 1.85%-12.74%, and 18% respectively. The proposed model reports the lowest FNR in the literature, a significant achievement given the cost-based nature of vulnerability detectors.

show abstract

Section: ) Vulnerable Code Pattern Identification Techniquesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

DB-CBIL: A DistilBert-Based Transformer Hybrid Model Using CNN and BiLSTM for Software Vulnerability Detection

Bahaa,

Kamal,

Fahmy

et al. 2024

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Various approaches have been explored, with many studies leveraging machine learning techniques. Static analysis methods, which extract key features from code for input into machine learning models, have been a focal point of some studies (Kim et al, 2022;Li et al, 2016. In contrast, others have utilized dynamic analysis, where the code is executed, and its behavior monitored to identify vulnerabilities (Alharbi, Hijji & Aljaedi, 2021;Salimi & Kharrazi, 2022).…”

Section: Related Workmentioning

confidence: 99%

Codeguard: Utilizing Advanced Pattern Recognition in Language Models for Software Vulnerability Analysis

Jones,

Omar

2024

Land Forces Academy Review

View full text Add to dashboard Cite

Enhancing software quality and security hinges on the effective identification of vulnerabilities in source code. This paper presents a novel approach that combines pattern recognition training with cloze-style examination techniques in a semi-supervised learning framework. Our methodology involves training a language model using the SARD and Devign datasets, which contain numerous examples of vulnerable code. During training, specific code sections are deliberately obscured, challenging the model to predict the hidden tokens. Through rigorous empirical testing, we demonstrate the effectiveness of our approach in accurately identifying code vulnerabilities. Our results highlight the significant advantages of employing pattern recognition training alongside cloze-style questioning, leading to improved accuracy in detecting vulnerabilities in source code.

show abstract

“…VulDeeLocator [23] attempts to increase the accuracy of vulnerability analysis by eliminating false alarms using deep learning based on source code analysis. VulDeBERT [24] applied the BERT model to vulnerability logs collected from the static analysis tools to eliminate false positives and enhance the accuracy of vulnerability analysis.…”

Section: Related Studiesmentioning

confidence: 99%

“…VulDeBERT [24] converts information related to variable and function calls from a program's source code into code gadgets. Ambiguous code gadgets that might be misclassified as vulnerabilities are removed.…”

Section: Runtime Error Types and Datasetmentioning

confidence: 99%

Reduction of False Positives for Runtime Errors in C/C++ Software: A Comparative Study

Park,

Shin,

Choi

2023

Electronics

View full text Add to dashboard Cite

In software development, early defect detection using static analysis can be performed without executing the source code. However, defects are detected on a non-execution basis, thus resulting in a higher ratio of false positives. Recently, studies have been conducted to effectively perform static analyses using machine learning (ML) and deep learning (DL) technologies. This study examines the techniques for detecting runtime errors used in existing static analysis tools and the causes and rates of false positives. It analyzes the latest static analysis technologies that apply machine learning/deep learning to decrease false positives and compares them with existing technologies in terms of effectiveness and performance. In addition, machine-learning/deep-learning-based defect detection techniques were implemented in experimental environments and real-world software to determine their effectiveness in real-world software.

show abstract

VulDeBERT: A Vulnerability Detection System Using BERT

Cited by 22 publications

References 12 publications

DB-CBIL: A DistilBert-Based Transformer Hybrid Model Using CNN and BiLSTM for Software Vulnerability Detection

DB-CBIL: A DistilBert-Based Transformer Hybrid Model Using CNN and BiLSTM for Software Vulnerability Detection

Codeguard: Utilizing Advanced Pattern Recognition in Language Models for Software Vulnerability Analysis

Reduction of False Positives for Runtime Errors in C/C++ Software: A Comparative Study

Contact Info

Product

Resources

About