Abstract
With the increasingly serious trend of information security, software vulnerability has become one of the main threats to computer security. How to accurately detect the vulnerabilities in programs is a key issue in the field of information security. However, the accuracy of existing static vulnerability detection methods decreases significantly when detecting vulnerabilities with inconspicuous characteristics. To solve this issue, a function-level vulnerability detection method based on code property graph and attention mechanism is proposed. The method firstly converts the program source code into a code property graph containing semantic feature information and slices it to eliminate redundant information not related to sensitive operations; secondly, the code property graph is encoded into numerical embedding vectors by using BERT; then, a large-scale feature dataset is used to train a neural network based on the attention mechanism; finally, the trained neural network is used to realize the vulnerability detection of the target program. The experimental results show that the accuracy of this method on SARD dataset and GitHub dataset reaches 95.3% and 94.2% respectively, which is a significant improvement compared with the baseline, and proves that this method can effectively improve the accuracy of detecting vulnerabilities with inconspicuous vulnerability features.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Lin, G., et al.: Software vulnerability discovery via learning multi-domain knowledge bases. IEEE Trans. Dependable Secure Comput. 18(5), 2469–2485 (2019)
Kim, S., et al.: VUDDY: a scalable approach for vulnerable code clone discovery. In: 2017 IEEE Symposium on Security and Privacy (SP). IEEE (2017)
Li, Z., et al.: Vuldeepecker: a deep learning-based system for vulnerability detection. arXiv preprint: arXiv:1801.01681 (2018)
Zou, D., et al.: \(\mu \)VulDeePecker: a deep learning-based system for multiclass vulnerability detection. IEEE Trans. Dependable Secure Comput. 18(5), 2224–2236 (2019)
Zhou, Y., et al.: Devign: effective vulnerability identification by learning comprehensive program semantics via graph neural networks. In: Advances in Neural Information Processing Systems, vol. 32 (2019)
Pradel, M., Sen, K.: Deepbugs: a learning approach to name-based bug detection. Proc. ACM Program. Lang. 2(OOPSLA ), 1-25 (2018)
Cherem, S., Princehouse, L., Rugina, R.: Practical memory leak detection using guarded value-flow analysis. In: Proceedings of the 28th ACM SIGPLAN Conference on Programming Language Design and Implementation (2007)
Fan, G., et al.: SMOKE: scalable path-sensitive memory leak detection for millions of lines of code. In: 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE (2019)
Heine, D.L., Lam, M.S.: Static detection of leaks in polymorphic containers. In: Proceedings of the 28th International Conference on Software Engineering (2006)
Yamaguchi, F., et al.: Modeling and discovering vulnerabilities with code property graphs. In: 2014 IEEE Symposium on Security and Privacy. IEEE (2014)
Mou, L., et al.: Convolutional neural networks over tree structures for programming language processing. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 30, no. 1 (2016)
Pham, N.H., et al.: Detection of recurring software vulnerabilities. In: Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering (2010)
Wang, H., et al.: Combining graph-based learning with automated data collection for code vulnerability detection. IEEE Trans. Inf. Forensics Secur. 16, 1943–1958 (2020)
Xu, K., et al.: How powerful are graph neural networks?. arXiv preprint: arXiv:1810.00826 (2018)
Shervashidze, N., et al.: Weisfeiler-lehman graph kernels. J. Mach. Learn. Res. 12(9) (2011)
NIST. Software Assurance Reference Dataset Project. https://samate.nist.gov/SRD/. Accessed 1 June 2019
National Vulnerability Database (NVD). https://nvd.nist.gov. Accessed 1 May 2020
Devlin, J., et al.: BERT: pre-training of deep bidirectional transformers for language understanding. arXiv preprint: arXiv:1810.04805 (2018)
Vaswani, A., et al.: Attention is all you need. In: Advances in Neural Information Processing Systems, vol. 30 (2017)
Shaw, P., Uszkoreit, J., Vaswani, A.: Self-attention with relative position representations. arXiv preprint: arXiv:1803.02155 (2018)
Joern (2014). https://joern.readthedocs.io/en/latest/
Lipp, S., Banescu, S., Pretschner, A.: An empirical study on the effectiveness of static C code analyzers for vulnerability detection. In: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis (2022)
Lin, Y., et al.: Vulnerability dataset construction methods applied to vulnerability detection: a survey. In: 2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN-W). IEEE (2022)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Sun, Y., Wang, Z., Liu, K., Cui, B. (2024). Source Code Vulnerability Detection Based on Graph Structure Representation and Attention Mechanisms. In: Barolli, L. (eds) Advances in Internet, Data & Web Technologies. EIDWT 2024. Lecture Notes on Data Engineering and Communications Technologies, vol 193. Springer, Cham. https://doi.org/10.1007/978-3-031-53555-0_6
Download citation
DOI: https://doi.org/10.1007/978-3-031-53555-0_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-53554-3
Online ISBN: 978-3-031-53555-0
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)