SeqTrans: Automatic Vulnerability Fix via Sequence to Sequence Learning

Chi, Jianlei; Yu, Qin; Liu, Ting; Yin, Huanshun

doi:10.48550/arxiv.2010.10805

Cited by 2 publications

(7 citation statements)

References 37 publications

(65 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The state-of-the-art vulnerability fixing models are usually trained on a relatively small vulnerability fixing dataset [6], or generated from synthesized code examples [5]. Based on prior studies showing the effectiveness of large datasets for machine learning [8], we hypothesize that it is hard for a deep learning model to generalize well on such a small dataset.…”

Section: Methodology For Rq2mentioning

confidence: 99%

See 1 more Smart Citation

Neural Transfer Learning for Repairing Security Vulnerabilities in C Code

Chen

Kommrusch

Monperrus

2023

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

In this paper, we address the problem of automatic repair of software vulnerabilities with deep learning. The major problem with data-driven vulnerability repair is that the few existing datasets of known confirmed vulnerabilities consist of only a few thousand examples. However, training a deep learning model often requires hundreds of thousands of examples. In this work, we leverage the intuition that the bug fixing task and the vulnerability fixing task are related and that the knowledge learned from bug fixes can be transferred to fixing vulnerabilities. In the machine learning community, this technique is called transfer learning. In this paper, we propose an approach for repairing security vulnerabilities named VRepair which is based on transfer learning. VRepair is first trained on a large bug fix corpus and is then tuned on a vulnerability fix dataset, which is an order of magnitude smaller. In our experiments, we show that a model trained only on a bug fix corpus can already fix some vulnerabilities. Then, we demonstrate that transfer learning improves the ability to repair vulnerable C functions. We also show that the transfer learning model performs better than a model trained with a denoising task and fine-tuned on the vulnerability fixing task. To sum up, this paper shows that transfer learning works well for repairing security vulnerabilities in C compared to learning on a small dataset.

show abstract

Section: Methodology For Rq2mentioning

confidence: 99%

“…Manually fixing all these vulnerabilities is a time-consuming task; the GitHub 2020 security report finds that it takes 4.4 weeks to release a fix after a vulnerability is identified [4]. Therefore, researchers have proposed approaches to automatically fix these vulnerabilities [5], [6].…”

Section: Introductionmentioning

confidence: 99%

Neural Transfer Learning for Repairing Security Vulnerabilities in C Code

Chen

Kommrusch

Monperrus

2023

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

show abstract

“…The state-of-the-art vulnerability fixing models are usually trained on a relatively small vulnerability fixing dataset [6], or generated from synthesized code examples [5]. We hypothesize that it is hard for a deep learning model to generalize well on such a small or artificial dataset.…”

Section: Methodology For Rq3mentioning

confidence: 99%

“…Ponta et al created a manually curated dataset of Java vulnerability fixes [46] which has been used to train Se-qTrans, a vulnerability fixing system [6] presented above. The dataset has been collected through a vulnerability assessment tool called "project KB", which is open sourced.…”

Section: Vulnerability Datasetsmentioning

confidence: 99%

“…Consider the recent related work Vurle [9], where the model is trained and evaluated on a dataset of 279 manually identified vulnerabilities. SeqTrans is another recent effort, trained and evaluated on a dataset with 1282 vulnerabilities [6]. On the other hand, training neural models for a translation task (English to French) has been done using over 41 million sentence pairs [10].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Neural Transfer Learning for Repairing Security Vulnerabilities in C Code

Chen,

Kommrusch,

Monperrus

2021

Preprint

View full text Add to dashboard Cite

In this paper, we address the problem of automatic repair of software vulnerabilities with deep learning. The major problem with data-driven vulnerability repair is that the few existing datasets of known confirmed vulnerabilities consist of only a few thousand examples. However, training a deep learning model often requires hundreds of thousands of examples. In this work, we leverage the intuition that the bug fixing task and the vulnerability fixing task are related, and the knowledge learned from bug fixes can be transferred to fixing vulnerabilities. In the machine learning community, this technique is called transfer learning. In this paper, we propose an approach for repairing security vulnerabilities named VRepair which is based on transfer learning. VRepair is first trained on a large bug fix corpus, and is then tuned on a vulnerability fix dataset, which is an order of magnitudes smaller. In our experiments, we show that a model trained only on a bug fix corpus can already fix some vulnerabilities. Then, we demonstrate that transfer learning improves the ability to repair vulnerable C functions. In the end, we present evidence that transfer learning produces more stable and superior neural models for vulnerability repair.

show abstract

SeqTrans: Automatic Vulnerability Fix via Sequence to Sequence Learning

Cited by 2 publications

References 37 publications

Neural Transfer Learning for Repairing Security Vulnerabilities in C Code

Neural Transfer Learning for Repairing Security Vulnerabilities in C Code

Neural Transfer Learning for Repairing Security Vulnerabilities in C Code

Contact Info

Product

Resources

About