VuLASTE: Long Sequence Model with Abstract Syntax Tree Embedding for vulnerability Detection
This addresses the problem of detecting vulnerabilities in software code for developers and security analysts, with incremental improvements in handling long sequences and data imbalance.
The paper tackles vulnerability detection in source code by building VuLASTE, a model that treats it as a text classification task, achieving higher hits (e.g., top 50 hits of 29) than state-of-the-art methods on a real-world dataset.
In this paper, we build a model named VuLASTE, which regards vulnerability detection as a special text classification task. To solve the vocabulary explosion problem, VuLASTE uses a byte level BPE algorithm from natural language processing. In VuLASTE, a new AST path embedding is added to represent source code nesting information. We also use a combination of global and dilated window attention from Longformer to extract long sequence semantic from source code. To solve the data imbalance problem, which is a common problem in vulnerability detection datasets, focal loss is used as loss function to make model focus on poorly classified cases during training. To test our model performance on real-world source code, we build a cross-language and multi-repository vulnerability dataset from Github Security Advisory Database. On this dataset, VuLASTE achieved top 50, top 100, top 200, top 500 hits of 29, 51, 86, 228, which are higher than state-of-art researches.