Log in
English

Vulnerabilities in Deep Learning

Deep Learning for vulnerability disclosure

solution Vulnerabilities in Deep Learning
default

Oscar Uribe

Currently, data scientists have begun using AI (Artificial Intelligence) algorithms to solve problems from the data perspective. Data scientists have been working on problems related to areas like medicine, data mining, robotics, etc.

Some researches have been exploring how Artificial Intelligence can be used in cybersecurity. For example, how we can use Artificial Intelligence for vulnerability detection inside source code.

Most vulnerabilities are a result of using bad practices at the time of programming. When these vulnerabilities are not detected in a timely manner, they can later be discovered and exploited by attackers. So, it is important to detect vulnerabilities in the early stages of a system’s development.

There are tools that can perform static analysis of the source code. These tools check the source code for problems without the need for compiling and executing it. There are also dynamic analysis tools that send information to the system inputs with presets or random values in order to check for failures or improper exceptions handling.

Initial Thoughts

In a Boston University article, the authors discuss the possibility of using Artificial Intelligence and algorithms for Deep and Machine Learning to automatically detect source code vulnerabilities. The idea stems from the fact that there is a large amount of open-source code available to be analyzed. After all, code is just text and it is possible to use data mining algorithms on source code to extract training data.

Static and dynamic code analyzers do not get the most out of source code. The algorithms that they use are based on preset rules that do not take into account small variations in the original rule. The result is that some vulnerabilities and failures may remain undiscovered.

The purpose of this exercise was to use data mining, and deep and machine learning techniques to automate a process frequently susceptible to human errors, which can then result in unnoticed vulnerabilities in applications or within operating systems. These unnoticed vulnerabilities may then be exploited by hackers.

Data

For data, they used C and C`` codes from different sources, such as SATE IV Juliet Test Suite, a code recompilation used for test cases that contains some known vulnerabilities, code from Debian distributions, and some GitHub public repositories.

Vulnerable code distribution.

Figure 1. Vulnerable code distribution [1].

Labeling

In labeling, a custom lexer was created to capture only the important information and label the rest as generic. The labels already provided by the test database were used. For the Debian and GitHub codes, they used dynamic analyzers in order to search outputs that later could be interpreted by security professionals as one of the known vulnerabilities from the Common Weakness Enumeration (CWE) list. Also in the GitHub repositories, they searched inside the commits, words like “buggy”, “error”, “fixed”, “broken”, and others, in order to classify each block of source code as vulnerable or non-vulnerable.

Get started with Fluid Attacks' Secure Code Review solution right now

Found vulnerabilities.

Figure 2. Statistics CWE vulnerabilities detected [1].

Feature Extraction

In the feature extraction step, two types of Neural Networks were tried, CNN (Convolutional Neural Network) and RNN (Recurrent Neural Network).

Despite the neural network working fine for the data extraction used by the model, classification was not the best. To solve that, after the Neural Networks feature extraction was made, they passed the output through a Random Forest classifier. They then obtained better results and avoided overfitting.

Convolutional Neural Model

Figure 3. Convolutional Neural Network Model and Random Forest [1].

Results

Vulnerability detection using Data mining, and Deep and Machine Learning added some advantages compared with lexical analyzers since they do not need to be compiled to work, and they can be adjusted to obtain the desired precision.

Static analyzers have a limited number of findings because of preset rules and the fact that they do not take into account the variations of the rules. Static analyzers only identify a small portion of the real vulnerabilities present in the source code.

Detections

Figure 4. Detection of vulnerabilities [1].

This algorithm can underline code blocks that might introduce a vulnerability. This allows suggestions that can be used to solve problems. It can also simply notify the person in charge to determine whether there is a vulnerability present or not.

Conclusions

Deep and Machine Learning techniques are used to problem-solve from a different perspective, the perspective of the data. The previous article illustrates several functions where using Artificial Intelligence in security is helping to automate functions previously done by humans. Using Artificial Intelligence allows humans to focus on the analysis of problems rather than their detection.

Before these tools can be widely used within the industry, they need some improvement. However, they demonstrate the potential this type of tool has during the process of vulnerability disclosure. It is also important to evaluate the possibility of integrating them into continuous software development via continuous integrations to detect vulnerabilities in early stages and avoid the spread of known security issues on latter versions of the system.

References

  1. Russell et al. (2018). Automated Vulnerability Detection in Source Code Using Deep Representation Learning.

  2. Saha (2018). A Comprehensive Guide to Convolutional Neural Networks — the ELI5 way.

  3. Venkatachalam (2019). Recurrent Neural Networks.

  4. Yiu (2019). Random Forest.

Share

Tags:

Subscribe to our blog

Sign up for Fluid Attacks’ weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Rohit Tandon on Unsplash

Certified Ethical Hacker, Huh?

Description and critique of CEH certifications

Photo by charlesdeluvio on Unsplash

Why on Earth Apply Red Teaming?

Recognize the value of this security assessment method

Photo by Ludovic Toinel on Unsplash

Secure-by-Design and -Default

A roadmap for developing and releasing secure software

Photo by James Beheshti on Unsplash

What Is CSPM?

The basics of cloud security posture management

Photo by Luis Villasmil on Unsplash

Is That the Most Suitable Option?

Tips for choosing a vulnerability management solution

Photo by JC Gellidon on Unsplash

Vulnerability Remediation Process

Definition, implementation, importance and alternatives

Photo by Jason Krieger on Unsplash

National Cybersecurity Strategy

Keep tabs on this proposal from the Biden-Harris Admin

Photo by Tamas Kolossa on Unsplash

Secure Your Web Apps And Websites

Vulnerability scanning and pentesting for a safer web

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial

Service

Continuous Hacking

Platform overview

Solutions

Application security

Compliance

Systems

Testing Techniques

SAST

DAST

MPT

MAST

SCA

CSPM

ARM

PTaaS

RE

Plans

Machine

Squad

Resources

Blog

Advisories

Clients

Downloadables

Documentation

Company

About us

Certifications

Partners

Careers

Contact us

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.

Service status

Terms of use

Privacy policy

Cookie policy