Owing to the advances in automated hacking and analysis technologies in recent years, numerous software security vulnerabilities have been announced. Software vulnerabilities are increasing rapidly, whereas methods to analyze and cope with them depend on manual analyses, which result in a slow response. In recent years, studies concerning the prediction of vulnerabilities or the detection of patterns of previous vulnerabilities have been conducted by applying deep learning algorithms in an automated vulnerability search based on source code. However, existing methods target only certain security vulnerabilities or make limited use of source code to compile information. Few studies have been conducted on methods that represent source code as an embedding vector. Thus, this study proposes a deep learning-based automated vulnerability analysis system (AutoVAS) that effectively represents source code as embedding vectors by using datasets from various projects in the National Vulnerability Database (NVD) and Software Assurance Reference Database (SARD). To evaluate AutoVAS, we present and share a dataset for deep learning models. Experimental results show that AutoVAS achieves a false negative rate (FNR) of 3.62%, a false positive rate (FPR) of 1.88%, and an F1-score of 96.11%, which represent lower FNR and FPR values than those achieved by other approaches. We further apply AutoVAS to nine open-source projects and detect eleven vulnerabilities, most of which are missed by the other approaches we experimented with. Notably, we discovered three zero-day vulnerabilities, two of which were patched after being informed by AutoVAS. The other vulnerability received the Common Vulnerabilities and Exposures (CVE) ID after being detected by AutoVAS.

由于近年来自动黑客和分析技术的进步，已经宣布了许多软件安全漏洞。软件漏洞正在迅速增加，而分析和处理它们的方法则取决于手动分析，这导致响应速度较慢。近年来，通过在基于源代码的自动漏洞搜索中应用深度学习算法，进行了有关漏洞预测或先前漏洞模式检测的研究。但是，现有方法仅针对某些安全漏洞，或仅使用源代码来编译信息。很少有人研究将源代码表示为嵌入向量的方法。因此，通过使用来自国家漏洞数据库（NVD）和软件保障参考数据库（SARD）中各个项目的数据集，有效地将源代码表示为嵌入向量的AutoVAS）。为了评估AutoVAS，我们提出并共享了深度学习模型的数据集。实验结果表明，AutoVAS的假阴性率（FNR）为3.62％，假阳性率（FPR）为1.88％，F1得分为96.11％，与其他方法相比，FNR和FPR值更低。我们进一步应用AutoVAS到9个开源项目并检测到11个漏洞，而我们尝试的其他方法都忽略了其中的大多数漏洞。值得注意的是，我们发现了三个零日漏洞，其中两个是在AutoVAS通知后修补的。另一个漏洞在被AutoVAS检测到后获得了通用漏洞和披露（CVE）ID 。