Machine Learning vs Software Vulnerability Detection: Applicability Analysis and Conceptual System Synthesis

The article is devoted to the searching for vulnerabilities in software problem, as well as the possibilities of application of such a promising area in information technology as machine learning. For this purpose, a review of scientific publications in this area from Russian and foreign citation databases is made. A comparative analysis of the review's results was made according to the following criteria: publication year, application field, idea, solved problem of machine learning, degree of realization of its models and methods; for each criterion basic conclusions were drawn. As a result, 7 principles of building a new conceptual system of searching for vulnerabilities in software with the help of machine learning are proposed, the short meaning of which is as follows: program's multilateral study, combination of known methods, the use of machine learning in each method and algorithm of its management, the possibility of correcting the expert's work, storing information in a database and its synchronization with external, advisory nature of the found vulnerabilities; single software application usage. Based on the stated principles, a graphical scheme of such a system has been developed.

1. Romanov N.E., Izrailov K.E., Pokussov V.V. Intelligent Programming Support System: Machine Learning Feat. Fast Development of Secure Programs. Informatization and communication. 2021;5:7‒17. DOI:10.34219/2078-8320-2021-12-5-7-16

2. Chavan A., Pimplikar S., Deshmukh A. An Overview of Machine Learning Techniques for Evaluation of Pavement Condition. Proceedings of the 4th International Conference on Cybernetics, Cognition and Machine Learning Applications, ICCCMLA, 08‒09 October 2022, Goa, India). IEEE; 2022. p.139‒143. DOI:10.1109/ICCCMLA56841.2022.9989164

3. Sathuluri M.R., Sahithi R., Sri P.N., Arshitha K. Machine Learning Approach to Design Fractal Antenna for 5G Applications. Proceedings of the 4th International Conference on Inventive Research in Computing Applications, ICIRCA, 21‒23 September 2022, Coimbatore, India. IEEE; 2022. p.275‒280. DOI:10.1109/ICIRCA54612.2022.9985480

4. Rana P., Gupta L. R., Dubey M.K., Kumar G. Review on evaluation techniques for better student learning outcomes using machine learning. Proceedings of the 2nd International Conference on Intelligent Engineering and Management, ICIEM, 28‒30 April 2021, London, United Kingdom. IEEE; 2021. p.86‒90. DOI:10.1109/ICIEM51511.2021.9445294

5. AlShehri Y., Ramaswamy L. SECOE: Alleviating Sensors Failure in Machine Learning-Coupled IoT Systems. Proceedings of the 21st International Conference on Machine Learning and Applications, ICMLA, 2‒14 December 2022, Nassau, Bahamas. IEEE; 2022. p.743‒747. DOI:10.1109/ICMLA55696.2022.00124

6. Tommy R., Sundeep G., Jose H. Automatic Detection and Correction of Vulnerabilities using Machine Learning. Proceedings of the International Conference on Current Trends in Computer, Electrical, Electronics and Communication, CTCEEC, 08‒09 September 2017, Mysore, India. IEEE; 2017. p.1062‒1065. DOI:10.1109/CTCEEC.2017.8454995

7. Jin Z., Yu Y. Current and Future Research of Machine Learning Based Vulnerability Detection. Proceedings of the Eighth International Conference on Instrumentation & Measurement, Computer, Communication and Control, IMCCC, 19‒21 July 2018, Harbin, China. IEEE; 2018. p.1562‒1566. DOI:10.1109/IMCCC.2018.00322

8. Zhumabekova A., Matson E.T., Karyukin V., Zhumabekova K., Zhuandykov B., Ussatova O., et al. Determining Web Application Vulnerabilities Using Machine Learning Methods. Proceedings of the 19th International Asian School-Seminar on Optimization Problems of Complex Systems, OPCS, 14‒22 August 2023, Novosibirsk, Moscow, Russian Federation. IEEE; 2023. p.136‒139. DOI:10.1109/OPCS59592.2023.10275756

9. Zhang K. A Machine Learning Based Approach to Identify SQL Injection Vulnerabilities. Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering, 11‒15 November 2019, San Diego, USA. IEEE; 2019. p.1286‒1288. DOI:10.1109/ASE.2019.00164

10. Le Q.V., Mikolov T. Distributed Representations of Sentences and Documents. Proceedings of the 31st International Conference on Machine Learning, PMLR, 21‒26 June 2014, Beijing, China. 2014;32(2):1188‒1196.

11. Zheng W., Gao J., Wu X., Xun Y., Liu G., Chen X. An Empirical Study of High-Impact Factors for Machine Learning-Based Vulnerability Detection. Proceedings of the IEEE 2nd International Workshop on Intelligent Bug Fixing, IBF, 18‒18 Febru-ary 2020, London, ON, Canada. IEEE; 2020. p.26‒34. DOI:10.1109/IBF50092.2020.9034888

12. Vybornova O.N., Ryzhikov A.N. Reinforcement Learning for Automated Vulnerability Search. Matematicheskie metody v tekhnike i tekhnologiiakh ‒ MMTT. 2020;4:110‒113.

13. Buinevich M.V., Izrailov K.E. Generalized model of software code`s static analysis based on machine learning for vulnerabilitys search. Informatization and communication. 2020;2:143‒152. DOI:10.34219/2078-8320-2020-11-2-143-152

14. Demidov R.A. Vulnerability Search in Machine Code Using Deep Learning Approach. Proceedings of the IVth interregional Scientific and Practical Conference on Promising Directions for the Development of Domestic Information Technologies, 18–22 September 2018, Sevastopol, Russian Federation. Sevastopol State University Publ.; 2018. p.237‒238.

15. Bottou L. From machine learning to machine reasoning. Machine Learning. 2014;94(2):133–149. DOI:10.1007/ s10994-013-5335-x

16. Osman S.Sh.O. Using AI in Searching for Vulnerabilities in Local Networks or Web Applications. IX International Scientific and Practical Conference on Current Aspects of the Development of Science and Society in the Era of Digital Transformation, Code – MCAA, 25 July 2023, Moscow, Russian Federation. Makhachkala: ALEF Publ., 2023. p.83‒88.

17. Maksimova A.A., Goncharenko L.Kh., Bachevsky A.E., Gurtova K.S., Umerenko G.S., Anistratenko M.A. Method and System for Identifying Exploitable Vulnerabilities in Program Code. Patent RF, no. 2790005 C1, 14.02.2023.

18. Levshun D.S. Component for Analyzing the Effectiveness of Machine Learning Methods for Predicting the Values of Vulnerability Metrics. Patent RF, no. 2023619249, 05.05.2023.

19. Celisse A. Optimal cross-validation in density estimation with the L2-loss. The Annals of Statistics. 2014;42(5):1879‒1910. DOI:10.1214/14-AOS1240

20. Kustarov D.A., Sorokin L.A., Trukhachev A.A. A Prototype of a Software Solution That Implements Promising Artificial Intelligence Technologies in Relation to Penetration Testing Of Information Systems. Patent RF, no. 2022682324, 29.11.2022.