In this paper, we design a technique for mapping the source code into a vector space and we show its application in the recognition of security weaknesses.By applying ideas commonly used in Natural Language Processing, we train a model for producing an embedding of programs starting from their Abstract Syntax Trees. We then show how such embedding is able to infer clusters roughly separating different classes of software weaknesses.Even if the training of the embedding is unsupervised and made on a generic Java dataset, we show that the model can be used for supervised learning of specific classes of vulnerabilities, helping to capture some features distinguishing them in code.Finally, we discuss how our model performs over the different types of vulnerabilities categorized by the CWE initiative.
Saletta, M., Ferretti, C. (2020). A Neural Embedding for Source Code: Security Analysis and CWE Lists. In Proceedings - IEEE 18th International Conference on Dependable, Autonomic and Secure Computing, IEEE 18th International Conference on Pervasive Intelligence and Computing, IEEE 6th International Conference on Cloud and Big Data Computing and IEEE 5th Cyber Science and Technology Congress, DASC/PiCom/CBDCom/CyberSciTech 2020 (pp.523-530). Institute of Electrical and Electronics Engineers Inc. [10.1109/DASC-PICom-CBDCom-CyberSciTech49142.2020.00095].
A Neural Embedding for Source Code: Security Analysis and CWE Lists
Saletta, M;Ferretti, C
2020
Abstract
In this paper, we design a technique for mapping the source code into a vector space and we show its application in the recognition of security weaknesses.By applying ideas commonly used in Natural Language Processing, we train a model for producing an embedding of programs starting from their Abstract Syntax Trees. We then show how such embedding is able to infer clusters roughly separating different classes of software weaknesses.Even if the training of the embedding is unsupervised and made on a generic Java dataset, we show that the model can be used for supervised learning of specific classes of vulnerabilities, helping to capture some features distinguishing them in code.Finally, we discuss how our model performs over the different types of vulnerabilities categorized by the CWE initiative.
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
