Deep learning vulnerability detection method based on optimized inter-procedural semantics of programs
In recent years, software vulnerabilities have been causing a multitude of security incidents, and the early discovery and patching of vulnerabilities can effectively reduce losses.Traditional rule-based vulnerability detection methods, relying upon rules defined by experts, suffer from a high false...
| Main Author: | |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
POSTS&TELECOM PRESS Co., LTD
2023-12-01
|
| Series: | 网络与信息安全学报 |
| Subjects: | |
| Online Access: | https://www.infocomm-journal.com/cjnis/CN/10.11959/j.issn.2096-109x.2023085 |
| _version_ | 1797262389628895232 |
|---|---|
| author | Yan LI, Weizhong QIANG, Zhen LI, Deqing ZOU, Hai JIN |
| author_facet | Yan LI, Weizhong QIANG, Zhen LI, Deqing ZOU, Hai JIN |
| author_sort | Yan LI, Weizhong QIANG, Zhen LI, Deqing ZOU, Hai JIN |
| collection | DOAJ |
| description | In recent years, software vulnerabilities have been causing a multitude of security incidents, and the early discovery and patching of vulnerabilities can effectively reduce losses.Traditional rule-based vulnerability detection methods, relying upon rules defined by experts, suffer from a high false negative rate.Deep learning-based methods have the capability to automatically learn potential features of vulnerable programs.However, as software complexity increases, the precision of these methods decreases.On one hand, current methods mostly operate at the function level, thus unable to handle inter-procedural vulnerability samples.On the other hand, models such as BGRU and BLSTM exhibit performance degradation when confronted with long input sequences, and are not adept at capturing long-term dependencies in program statements.To address the aforementioned issues, the existing program slicing method has been optimized, enabling a comprehensive contextual analysis of vulnerabilities triggered across functions through the combination of intra-procedural and inter-procedural slicing.This facilitated the capture of the complete causal relationship of vulnerability triggers.Furthermore, a vulnerability detection task was conducted using a Transformer neural network architecture equipped with a multi-head attention mechanism.This architecture collectively focused on information from different representation subspaces, allowing for the extraction of deep features from nodes.Unlike recurrent neural networks, this approach resolved the issue of information decay and effectively learned the syntax and semantic information of the source program.Experimental results demonstrate that this method achieves an F1 score of 73.4% on a real software dataset.Compared to the comparative methods, it shows an improvement of 13.6% to 40.8%.Furthermore, it successfully detects several vulnerabilities in open-source software, confirming its effectiveness and applicability. |
| first_indexed | 2024-04-24T23:56:20Z |
| format | Article |
| id | doaj.art-a3d55bf7e7e144a1b4738183acf80f68 |
| institution | Directory Open Access Journal |
| issn | 2096-109X |
| language | English |
| last_indexed | 2024-04-24T23:56:20Z |
| publishDate | 2023-12-01 |
| publisher | POSTS&TELECOM PRESS Co., LTD |
| record_format | Article |
| series | 网络与信息安全学报 |
| spelling | doaj.art-a3d55bf7e7e144a1b4738183acf80f682024-03-14T12:18:37ZengPOSTS&TELECOM PRESS Co., LTD网络与信息安全学报2096-109X2023-12-01968610110.11959/j.issn.2096-109x.2023085Deep learning vulnerability detection method based on optimized inter-procedural semantics of programsYan LI, Weizhong QIANG, Zhen LI, Deqing ZOU, Hai JINIn recent years, software vulnerabilities have been causing a multitude of security incidents, and the early discovery and patching of vulnerabilities can effectively reduce losses.Traditional rule-based vulnerability detection methods, relying upon rules defined by experts, suffer from a high false negative rate.Deep learning-based methods have the capability to automatically learn potential features of vulnerable programs.However, as software complexity increases, the precision of these methods decreases.On one hand, current methods mostly operate at the function level, thus unable to handle inter-procedural vulnerability samples.On the other hand, models such as BGRU and BLSTM exhibit performance degradation when confronted with long input sequences, and are not adept at capturing long-term dependencies in program statements.To address the aforementioned issues, the existing program slicing method has been optimized, enabling a comprehensive contextual analysis of vulnerabilities triggered across functions through the combination of intra-procedural and inter-procedural slicing.This facilitated the capture of the complete causal relationship of vulnerability triggers.Furthermore, a vulnerability detection task was conducted using a Transformer neural network architecture equipped with a multi-head attention mechanism.This architecture collectively focused on information from different representation subspaces, allowing for the extraction of deep features from nodes.Unlike recurrent neural networks, this approach resolved the issue of information decay and effectively learned the syntax and semantic information of the source program.Experimental results demonstrate that this method achieves an F1 score of 73.4% on a real software dataset.Compared to the comparative methods, it shows an improvement of 13.6% to 40.8%.Furthermore, it successfully detects several vulnerabilities in open-source software, confirming its effectiveness and applicability.https://www.infocomm-journal.com/cjnis/CN/10.11959/j.issn.2096-109x.2023085vulnerability detectionprogram slicedeep learningattention mechanism |
| spellingShingle | Yan LI, Weizhong QIANG, Zhen LI, Deqing ZOU, Hai JIN Deep learning vulnerability detection method based on optimized inter-procedural semantics of programs 网络与信息安全学报 vulnerability detection program slice deep learning attention mechanism |
| title | Deep learning vulnerability detection method based on optimized inter-procedural semantics of programs |
| title_full | Deep learning vulnerability detection method based on optimized inter-procedural semantics of programs |
| title_fullStr | Deep learning vulnerability detection method based on optimized inter-procedural semantics of programs |
| title_full_unstemmed | Deep learning vulnerability detection method based on optimized inter-procedural semantics of programs |
| title_short | Deep learning vulnerability detection method based on optimized inter-procedural semantics of programs |
| title_sort | deep learning vulnerability detection method based on optimized inter procedural semantics of programs |
| topic | vulnerability detection program slice deep learning attention mechanism |
| url | https://www.infocomm-journal.com/cjnis/CN/10.11959/j.issn.2096-109x.2023085 |
| work_keys_str_mv | AT yanliweizhongqiangzhenlideqingzouhaijin deeplearningvulnerabilitydetectionmethodbasedonoptimizedinterproceduralsemanticsofprograms |