Abstract
The significance of vulnerability detection has grown increasingly crucial due to the escalating cybersecurity threats. Investigating automated vulnerability detection techniques to avoid high false positives and false negatives is an important issue in the current software security field. In recent years, there has been a substantial focus on deep learning-based vulnerability detectors, which have achieved remarkable success. To fill the gap in multi-granularity program representation, we propose MulGraVD, a deep learning-based vulnerability detector at the function level. MulGraVD captures the continuity and structure of the programming language by considering information at word, statement, basic block, and function granularity respectively. To overcome the constraint posed by hyperparameter layers in the information aggregation process of graph neural networks, MulGraVD serially passes information from coarse to fine granularity, which facilitates the mining of vulnerability patterns. Our experimental evaluation on FFMPeg+Qemu and ReVeal datasets shows that MulGraVD significantly outperforms existing state-of-the-art methods in terms of precision, recall, and F1 score, with an average improvement of 11.62% in precision, 27.69% in recall, and 19.71% in F1 score.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
CVE-2012-2793. https://www.cve.org/CVERecord?id=CVE-2012-2793
CWE-120: Buffer overflow. https://cwe.mitre.org/data/definitions/120.html
CWE-190: Integer overflow. https://cwe.mitre.org/data/definitions/190.html
CWE-362: Race condition. https://cwe.mitre.org/data/definitions/362.html
CWE-369: Divide by zero. https://cwe.mitre.org/data/definitions/369.html
CWE-476: Null pointer dereference. https://cwe.mitre.org/data/definitions/476.html
Chakraborty, S., Krishna, R., Ding, Y., Ray, B.: Deep learning based vulnerability detection: are we there yet. IEEE Trans. Software Eng. 48, 3280–3296 (2021)
Chawla, N.V., Bowyer, K.W., Hall, L.O., Kegelmeyer, W.P.: Smote: synthetic minority over-sampling technique. J. Artif. Intell. Res. 16, 321–357 (2002)
Chen, D., Lin, Y., Li, W., Li, P., Zhou, J., Sun, X.: Measuring and relieving the over-smoothing problem for graph neural networks from the topological view. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 34, pp. 3438–3445 (2020)
Cheng, X., Zhang, G., Wang, H., Sui, Y.: Path-sensitive code embedding via contrastive learning for software vulnerability detection. In: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 519–531 (2022)
Dosovitskiy, A., Beyer, L., et al.: An image is worth 16x16 words: transformers for image recognition at scale. arXiv preprint arXiv:2010.11929 (2020)
Du, X., et al.: LEOPARD: identifying vulnerable code for vulnerability assessment through program metrics. In: 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pp. 60–71. IEEE (2019)
Hin, D., Kan, A., Chen, H., Babar, M.A.: LineVD: statement-level vulnerability detection using graph neural networks. In: Proceedings of the 19th International Conference on Mining Software Repositories, pp. 596–607 (2022)
Johnson, B., Song, Y., Murphy-Hill, E., Bowdidge, R.: Why don’t software developers use static analysis tools to find bugs? In: 2013 35th International Conference on Software Engineering (ICSE), pp. 672–681. IEEE (2013)
Le, T., et al.: Maximal divergence sequential autoencoder for binary software vulnerability detection. In: International Conference on Learning Representations (2019)
Li, X., Wang, L., Xin, Y., Yang, Y., Tang, Q., Chen, Y.: Automated software vulnerability detection based on hybrid neural network. Appl. Sci. 11(7), 3201 (2021)
Li, Y., Wang, S., Nguyen, T.N.: Vulnerability detection with fine-grained interpretations. In: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 292–303 (2021)
Li, Z., Zou, D., Xu, S., Jin, H., Zhu, Y., Chen, Z.: SySeVR: a framework for using deep learning to detect software vulnerabilities. IEEE Trans. Dependable Secure Comput. 19(4), 2244–2258 (2021)
Li, Z., et al.: VulDeePecker: a deep learning-based system for vulnerability detection. arXiv preprint arXiv:1801.01681 (2018)
Van der Maaten, L., Hinton, G.: Visualizing data using t-SNE. J. Mach. Learn. Res. 9(11) (2008)
Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 529–540 (2007)
Russell, R., et al.: Automated vulnerability detection in source code using deep representation learning. In: 2018 17th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 757–762. IEEE (2018)
Scandariato, R., Walden, J., Hovsepyan, A., Joosen, W.: Predicting vulnerable software components via text mining. IEEE Trans. Software Eng. 40(10), 993–1006 (2014)
She, D., Krishna, R., Yan, L., Jana, S., Ray, B.: MTFuzz: fuzzing with a multi-task neural network. In: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 737–749 (2020)
She, D., Pei, K., Epstein, D., Yang, J., Ray, B., Jana, S.: Neuzz: efficient fuzzing with neural program smoothing. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 803–817. IEEE (2019)
Shen, S., Shinde, S., Ramesh, S., Roychoudhury, A., Saxena, P.: Neuro-symbolic execution: augmenting symbolic execution with neural constraints. In: NDSS (2019)
Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: 2014 IEEE Symposium on Security and Privacy, pp. 590–604. IEEE (2014)
Ying, Z., Bourgeois, D., You, J., Zitnik, M., Leskovec, J.: GNNExplainer: generating explanations for graph neural networks. Adv. Neural Inf. Process. Syst. 32 (2019)
Zhou, Y., Liu, S., Siow, J., Du, X., Liu, Y.: Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. In: Advances in Neural Information Processing Systems, vol. 32 (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Yang, T., Lian, S., Jia, Q., Hu, C., Guo, S. (2024). Multi-granularity Deep Vulnerability Detection Using Graph Neural Networks. In: Luo, B., Cheng, L., Wu, ZG., Li, H., Li, C. (eds) Neural Information Processing. ICONIP 2023. Communications in Computer and Information Science, vol 1969. Springer, Singapore. https://doi.org/10.1007/978-981-99-8184-7_12
Download citation
DOI: https://doi.org/10.1007/978-981-99-8184-7_12
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8183-0
Online ISBN: 978-981-99-8184-7
eBook Packages: Computer ScienceComputer Science (R0)