Enhancing Cryptographic Misuse Detection in Source Code using AST and Machine Learning Techniques

Abstract

Correctly implementing cryptographic security in software is challenging due to its complexity. This paper introduces a machine learning framework using Abstract Syntax Trees (ASTs) to identify cryptographic API misuse in Java code. The approach includes two models: a Per-Category Model, classifying vulnerabilities into nine specific types, and a Full Model, performing binary (secure/insecure) classification. The Per-Category Model achieved an average accuracy of 80%, effectively identifying issues, especially in Public Key Cryptography (PKC) and Weak Cryptography (WC). The Full Model reached 78% accuracy with an AUC-ROC of 0.87, showing strong overall performance. Compared to traditional static analysis tools detecting only 35% of known issues, our method significantly improves accuracy and reduces false alarms. Leveraging AST-based features and Random Forest classifiers, our framework enhances cryptographic misuse detection, providing developers clearer and more actionable insights, thus promoting secure software development.