The detection of software vulnerabilities (or vulnerabilities for short) is an important problem that has yet to be tackled, as manifested by the many vulnerabilities reported on a daily basis. This calls for machine learning methods for vulnerability detection. Deep learning is attractive for this purpose because it alleviates the requirement to manually define features. Despite the tremendous success of deep learning in other application domains, its applicability to vulnerability detection is not systematically understood. In order to fill this void, we propose the first systematic framework for using deep learning to detect vulnerabilities in C/C++ programs with source code. The framework, dubbed Syntax-based, Semantics-based, and Vector Representations (SySeVR), focuses on obtaining program representations that can accommodate syntax and semantic information pertinent to vulnerabilities. Our experiments with four software products demonstrate the usefulness of the framework: we detect 15 vulnerabilities that are not reported in the National Vulnerability Database. Among these 15 vulnerabilities, seven are unknown and have been reported to the vendors, and the other eight have been “silently” patched by the vendors when releasing newer versions of the pertinent software products.

中文翻译：

---

SySeVR：使用深度学习检测软件漏洞的框架

软件漏洞（或简称漏洞）的检测是一个有待解决的重要问题，每天报告的许多漏洞都表明了这一点。这需要用于漏洞检测的机器学习方法。深度学习对此很有吸引力，因为它减轻了手动定义特征的需求。尽管深度学习在其他应用领域取得了巨大成功，但它对漏洞检测的适用性并没有得到系统的理解。为了填补这一空白，我们提出了第一个使用深度学习来检测带有源代码的 C/C++ 程序中的漏洞的系统框架。该框架，被称为基于语法、基于语义和Vector Representations ( SySeVR )，专注于获取可以容纳与漏洞相关的语法和语义信息的程序表示。我们对四种软件产品的实验证明了该框架的实用性：我们检测到 15 个未在国家漏洞数据库中报告的漏洞。在这 15 个漏洞中，有 7 个是未知的，并且已向供应商报告，另外 8 个已在相关软件产品的更新版本发布时被供应商“默默”修补。