Detecting vulnerability in source code using CNN and LSTM network

Automated vulnerability detection has become a research hot spot because it is beneficial for improving software quality and security. The code metric (CM) is one class of important representations of vulnerability in source code. The implicit relationships among different metric attributes have not been sufficiently considered in traditional vulnerability detection based on CMs. In this paper, in view of the local perception capability of convolutional neural network (CNN) and the time-series prediction capability of long short-term memory (LSTM), we propose VulExplore, a compound neural network model for vulnerability detection that consists of a CNN for feature extraction and an LSTM network for deep representation. Moreover, to further indicate the vulnerability features in the source code, we reconstruct a CM dataset that includes two additional important attributes: maintainability index and average number of vulnerabilities committed per line. Our proposed numerical method can obtain both false-negative rate (FNR) and false-positive rate (FPR) under 20% and, meanwhile, achieve recall and precision over 80%, respectively.