Automated vulnerability detection has become a research hot spot because it is beneficial for improving software quality and security. The code metric (CM) is one class of important representations of vulnerability in source code. The implicit relationships among different metric attributes have not been sufficiently considered in traditional vulnerability detection based on CMs. In this paper, in view of the local perception capability of convolutional neural network (CNN) and the time-series prediction capability of long short-term memory (LSTM), we propose VulExplore, a compound neural network model for vulnerability detection that consists of a CNN for feature extraction and an LSTM network for deep representation. Moreover, to further indicate the vulnerability features in the source code, we reconstruct a CM dataset that includes two additional important attributes: maintainability index and average number of vulnerabilities committed per line. Our proposed numerical method can obtain both false-negative rate (FNR) and false-positive rate (FPR) under 20% and, meanwhile, achieve recall and precision over 80%, respectively.

自动化漏洞检测已成为研究热点，因为它有利于提高软件质量和安全性。代码度量 (CM) 是源代码中漏洞的一类重要表示。传统的基于 CM 的漏洞检测没有充分考虑不同度量属性之间的隐含关系。在本文中，针对卷积神经网络 (CNN) 的局部感知能力和长短期记忆 (LSTM) 的时间序列预测能力，我们提出了 VulExplore，一种用于漏洞检测的复合神经网络模型，它包括用于特征提取的 CNN 和用于深度表示的 LSTM 网络。此外，为了进一步说明源代码中的漏洞特征，可维护性指数和平均每行提交的漏洞数。我们提出的数值方法可以获得低于 20% 的假阴性率 (FNR) 和假阳性率 (FPR)，同时分别实现了 80% 以上的召回率和准确率。