BERT-Based Vulnerability Type Identification with Effective Program Representation

Detecting vulnerabilities is essential to maintaining software security. At present, vulnerability detection based on deep learning has achieved remarkable results. The type of vulnerability could tell the vulnerability principles and help the programmer quickly pinpoint the precise location of vulnerabilities. Moreover, the type of vulnerability is very valuable for remediating it. Therefore, it is essential to identify vulnerability types. This paper proposes a new vulnerability type identification framework based on deep learning. The framework is based on syntax and semantics, and the detection granularity is fine to the slice level. To include comprehensive vulnerability types, we use four slicing methods to represent the program. In addition, we model four kinds of code slice features based on BERT. For evaluation, we used 64 three-level CWE-IDs vulnerability types in National Vulnerability Database (NVD) and Software Assurance Reference Dataset (SARD) for vulnerability type identification. The experimental results show that it has significant performance in vulnerability type identification.