AI-powered vulnerability detection for secure source code development.

Rajapaksha, Sampath; Senanayake, Janaka; Kalutarage, Harsha; Al-Kadri, Mhd Omar

doi:10.1007/978-3-031-32636-3_16

AI-powered vulnerability detection for secure source code development.

Rajapaksha, Sampath; Senanayake, Janaka; Kalutarage, Harsha; Al-Kadri, Mhd Omar

Authors

SAMPATH RAJAPAKSHA R WASALA MUDIYANSELAGE POLWATTE GEDARA s.rajapaksha@rgu.ac.uk
Research Student

Mr Janaka Senanayake j.senanayake1@rgu.ac.uk
Lecturer

Dr Harsha Kalutarage h.kalutarage@rgu.ac.uk
Senior Lecturer

Mhd Omar Al-Kadri

Contributors

Giampaolo Bella
Editor

Mihai Doinea
Editor

Helge Janicke
Editor

Abstract

Vulnerable source code in software applications is causing paramount reliability and security issues. Software security principles should be integrated to reduce these issues at the early stages of the development lifecycle. Artificial Intelligence (AI) could be applied to detect vulnerabilities in source code. In this research, a Machine Learning (ML) based method is proposed to detect source code vulnerabilities in C/C++ applications. Furthermore, Explainable AI (XAI) was applied to support developers in identifying vulnerable source code tokens and understanding their causes. The proposed model can detect whether the code is vulnerable or not in binary classification with 0.96 F1-Score. In case of vulnerability type detection, a multi-class classification based on CWE-ID, the model achieved 0.85 F1-Score. Several ML classifiers were tested, and the Random Forest (RF) and Extreme Gradient Boosting (XGB) performed well in binary and multi-class approaches respectively. Since the model is trained on a dataset containing actual source codes, the model is highly generalizable.

Citation

RAJAPAKSHA, S., SENANAYAKE, J., KALUTARAGE, H. and AL-KADRI, M.O. 2023. AI-powered vulnerability detection for secure source code development. In Bella, G., Doinea, M. and Janicke, H. (eds.) Innovative security solutions for information technology and communications: revised selected papers of the 15th International conference on Security for information technology and communications 2022 (SecITC 2022), 8-9 December 2022, [virtual conference]. Lecture notes in computer sciences, 13809. Cham: Springer [online], pages 275-288. Available from: https://doi.org/10.1007/978-3-031-32636-3_16

Conference Name	2022 International conference on Security for information technology and communications (SecITC 2022)
Conference Location	[virtual conference]
Start Date	Dec 8, 2022
End Date	Dec 9, 2022
Acceptance Date	Nov 21, 2022
Online Publication Date	May 12, 2023
Publication Date	Dec 31, 2023
Deposit Date	Jul 3, 2023
Publicly Available Date	May 13, 2024
Publisher	Springer
Pages	275-288
Series Title	Lecture notes in computer sciences
Series Number	13809
Series ISSN	0302-9743; 1611-3349
Book Title	Innovative security solutions for information technology and communications: revised selected papers of the 15th International conference on Security for information technology and communications 2022 (SecITC 2022), 8-9 December 2022, [virtual conference]
ISBN	9783031326356; 9783031326363
DOI	https://doi.org/10.1007/978-3-031-32636-3_16
Keywords	Source code vulnerability; Machine learning; Software security; Vulnerability scanners
Public URL	https://rgu-repository.worktribe.com/output/1961786

Files

RAJAPAKSHA 2023 Ai-powered vulnerability (AAM) (600 Kb)
PDF

Copyright Statement
This version of the contribution has been accepted for publication, after peer review (when applicable) but is not the Version of Record and does not reflect post-acceptance improvements, or any corrections. The Version of Record is available online at: https://doi.org/10.1007/978-3-031-32636-3_16. Use of this Accepted Version is subject to the publisher's Accepted Manuscript terms of use.