Skip to main content
SpringerLink
Log in

Multi-granularity Deep Vulnerability Detection Using Graph Neural Networks

  • Conference paper
  • First Online:
Neural Information Processing (ICONIP 2023)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1969))

Included in the following conference series:

  • 385 Accesses

Abstract

The significance of vulnerability detection has grown increasingly crucial due to the escalating cybersecurity threats. Investigating automated vulnerability detection techniques to avoid high false positives and false negatives is an important issue in the current software security field. In recent years, there has been a substantial focus on deep learning-based vulnerability detectors, which have achieved remarkable success. To fill the gap in multi-granularity program representation, we propose MulGraVD, a deep learning-based vulnerability detector at the function level. MulGraVD captures the continuity and structure of the programming language by considering information at word, statement, basic block, and function granularity respectively. To overcome the constraint posed by hyperparameter layers in the information aggregation process of graph neural networks, MulGraVD serially passes information from coarse to fine granularity, which facilitates the mining of vulnerability patterns. Our experimental evaluation on FFMPeg+Qemu and ReVeal datasets shows that MulGraVD significantly outperforms existing state-of-the-art methods in terms of precision, recall, and F1 score, with an average improvement of 11.62% in precision, 27.69% in recall, and 19.71% in F1 score.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. CVE-2012-2793. https://www.cve.org/CVERecord?id=CVE-2012-2793

  2. CWE-120: Buffer overflow. https://cwe.mitre.org/data/definitions/120.html

  3. CWE-190: Integer overflow. https://cwe.mitre.org/data/definitions/190.html

  4. CWE-362: Race condition. https://cwe.mitre.org/data/definitions/362.html

  5. CWE-369: Divide by zero. https://cwe.mitre.org/data/definitions/369.html

  6. CWE-476: Null pointer dereference. https://cwe.mitre.org/data/definitions/476.html

  7. Chakraborty, S., Krishna, R., Ding, Y., Ray, B.: Deep learning based vulnerability detection: are we there yet. IEEE Trans. Software Eng. 48, 3280–3296 (2021)

    Article  Google Scholar 

  8. Chawla, N.V., Bowyer, K.W., Hall, L.O., Kegelmeyer, W.P.: Smote: synthetic minority over-sampling technique. J. Artif. Intell. Res. 16, 321–357 (2002)

    Article  Google Scholar 

  9. Chen, D., Lin, Y., Li, W., Li, P., Zhou, J., Sun, X.: Measuring and relieving the over-smoothing problem for graph neural networks from the topological view. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 34, pp. 3438–3445 (2020)

    Google Scholar 

  10. Cheng, X., Zhang, G., Wang, H., Sui, Y.: Path-sensitive code embedding via contrastive learning for software vulnerability detection. In: Proceedings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 519–531 (2022)

    Google Scholar 

  11. Dosovitskiy, A., Beyer, L., et al.: An image is worth 16x16 words: transformers for image recognition at scale. arXiv preprint arXiv:2010.11929 (2020)

  12. Du, X., et al.: LEOPARD: identifying vulnerable code for vulnerability assessment through program metrics. In: 2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE), pp. 60–71. IEEE (2019)

    Google Scholar 

  13. Hin, D., Kan, A., Chen, H., Babar, M.A.: LineVD: statement-level vulnerability detection using graph neural networks. In: Proceedings of the 19th International Conference on Mining Software Repositories, pp. 596–607 (2022)

    Google Scholar 

  14. Johnson, B., Song, Y., Murphy-Hill, E., Bowdidge, R.: Why don’t software developers use static analysis tools to find bugs? In: 2013 35th International Conference on Software Engineering (ICSE), pp. 672–681. IEEE (2013)

    Google Scholar 

  15. Le, T., et al.: Maximal divergence sequential autoencoder for binary software vulnerability detection. In: International Conference on Learning Representations (2019)

    Google Scholar 

  16. Li, X., Wang, L., Xin, Y., Yang, Y., Tang, Q., Chen, Y.: Automated software vulnerability detection based on hybrid neural network. Appl. Sci. 11(7), 3201 (2021)

    Article  Google Scholar 

  17. Li, Y., Wang, S., Nguyen, T.N.: Vulnerability detection with fine-grained interpretations. In: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 292–303 (2021)

    Google Scholar 

  18. Li, Z., Zou, D., Xu, S., Jin, H., Zhu, Y., Chen, Z.: SySeVR: a framework for using deep learning to detect software vulnerabilities. IEEE Trans. Dependable Secure Comput. 19(4), 2244–2258 (2021)

    Article  Google Scholar 

  19. Li, Z., et al.: VulDeePecker: a deep learning-based system for vulnerability detection. arXiv preprint arXiv:1801.01681 (2018)

  20. Van der Maaten, L., Hinton, G.: Visualizing data using t-SNE. J. Mach. Learn. Res. 9(11) (2008)

    Google Scholar 

  21. Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 529–540 (2007)

    Google Scholar 

  22. Russell, R., et al.: Automated vulnerability detection in source code using deep representation learning. In: 2018 17th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 757–762. IEEE (2018)

    Google Scholar 

  23. Scandariato, R., Walden, J., Hovsepyan, A., Joosen, W.: Predicting vulnerable software components via text mining. IEEE Trans. Software Eng. 40(10), 993–1006 (2014)

    Article  Google Scholar 

  24. She, D., Krishna, R., Yan, L., Jana, S., Ray, B.: MTFuzz: fuzzing with a multi-task neural network. In: Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 737–749 (2020)

    Google Scholar 

  25. She, D., Pei, K., Epstein, D., Yang, J., Ray, B., Jana, S.: Neuzz: efficient fuzzing with neural program smoothing. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 803–817. IEEE (2019)

    Google Scholar 

  26. Shen, S., Shinde, S., Ramesh, S., Roychoudhury, A., Saxena, P.: Neuro-symbolic execution: augmenting symbolic execution with neural constraints. In: NDSS (2019)

    Google Scholar 

  27. Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: 2014 IEEE Symposium on Security and Privacy, pp. 590–604. IEEE (2014)

    Google Scholar 

  28. Ying, Z., Bourgeois, D., You, J., Zitnik, M., Leskovec, J.: GNNExplainer: generating explanations for graph neural networks. Adv. Neural Inf. Process. Syst. 32 (2019)

    Google Scholar 

  29. Zhou, Y., Liu, S., Siow, J., Du, X., Liu, Y.: Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks. In: Advances in Neural Information Processing Systems, vol. 32 (2019)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. School of Cyber Science and Technology, Shandong University, Jinan, China

    Tengxiao Yang, Song Lian, Chengyu Hu & Shanqing Guo

  2. Beijing Institute of Computer Technology and Applications, Beijing, China

    Qiong Jia

Authors
  1. Tengxiao Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Song Lian
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Qiong Jia
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Chengyu Hu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Shanqing Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shanqing Guo .

Editor information

Editors and Affiliations

  1. School of Automation, Central South University, Changsha, China

    Biao Luo

  2. Institute of Automation, Chinese Academy of Sciences, Beijing, China

    Long Cheng

  3. Institute of Cyber-Systems and Control, Zhejiang University, Hangzhou, China

    Zheng-Guang Wu

  4. School of Automation, Guangdong University of Technology, Guangzhou, China

    Hongyi Li

  5. School of Electrical Engineering and Telecommunications, UNSW Sydney, Sydney, NSW, Australia

    Chaojie Li

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Yang, T., Lian, S., Jia, Q., Hu, C., Guo, S. (2024). Multi-granularity Deep Vulnerability Detection Using Graph Neural Networks. In: Luo, B., Cheng, L., Wu, ZG., Li, H., Li, C. (eds) Neural Information Processing. ICONIP 2023. Communications in Computer and Information Science, vol 1969. Springer, Singapore. https://doi.org/10.1007/978-981-99-8184-7_12

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-8184-7_12

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-8183-0

  • Online ISBN: 978-981-99-8184-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation