Vulnerability Detection Using Machine Learning Techniques in Open-Source Software

Prasad Langhe

Abstract: The Open Source Software (OSS) forms the cornerstone of modern-day computing in various applications ranging from the web to embedded devices and beyond. Although the OSS offers several advantages including innovative features, cost savings, and speed, it is also susceptible to security flaws due to its open-source nature and collaborative approach to software development. Traditional ways of evaluating vulnerabilities of OSS involved manual review of code, static analysis, and community-submitted bugs. These approaches might prove to be time-consuming and erroneous and thus unsuitable for the size of today's OSS projects. The advent of Machine Learning (ML), however, has enabled an entirely new approach to automatically detecting software vulnerabilities. With the help of sophisticated machine learning algorithms that make use of semantic, dependency, and pattern analysis of large data sets, predicting and classifying vulnerable parts of the code has become possible. In this study, we analyze the use of ML algorithms in discovering weaknesses in OSS. More precisely, we focus on: 1) the limitations of current manual and semi-automated vulnerability discovery approaches, 2) various ML techniques used for source code analysis based on supervised learning, deep learning, and NLP, and 3) the practical efficiency of using ML in actual OSS development projects. The experimental results showed that ML outperformed static analysis tools in terms of both accuracy and time. In particular, ML algorithms that use ASTs and code2vec embeddings showed better performance in identifying zero-day vulnerabilities than rule-based systems. Therefore, we argue that there is an increasing need for hybrid algorithms that combine ML with traditional static and data-driven analysis to discover vulnerabilities in OSS.

Keywords: Open Source Software, Vulnerability Detection, Machine Learning, Deep Learning, Code Analysis, Cybersecurity