Chao Ni,Xinrong Guo,Yan Zhu,Xiaodan Xu,Xiaohu Yang

DOI: https://doi.org/10.1109/ase56229.2023.00084

2024-01-01

Abstract:Software vulnerabilities damage the functionality of software systems. Recently, many deep learning-based approaches have been proposed to detect vulnerabilities at the function level by using one or a few different modalities (e.g., text representation, graph-based representation) of the function and have achieved promising performance. However, some of these existing studies have not completely leveraged these diverse modalities, particularly the underutilized image modality, and the others using images to represent functions for vulnerability detection have not made adequate use of the significant graph structure underlying the images. In this paper, we propose MVulD, a multi-modal-based function-level vulnerability detection approach, which utilizes multi-modal features of the function (i.e., text representation, graph representation, and image representation) to detect vulnerabilities. Specifically, MVulD utilizes a pre-trained model (i.e., UniXcoder) to learn the semantic information of the textual source code, employs the graph neural network to distill graph-based representation, and makes use of computer vision techniques to obtain the image representation while retaining the graph structure of the function. We conducted a large-scale experiment on 25,816 functions. The experimental results show that MVulD improves four state-of-the-art baselines by 30.8%-81.3%, 12.8%-27.4%, 48.8%-115%, and 22.9%-141% in terms of F1-score, Accuracy, Precision, and PR-AUC respectively.

Sicong Cao,Xiaobing Sun,Xiaoxue Wu,David Lo,Lili Bo,Bin Li,Xiaolei Liu,Xingwei Lin,Wei Liu

DOI: https://doi.org/10.1145/3691620.3695057

2024-01-01

Abstract:Deep Learning (DL) has emerged as a promising means for vulnerability detection due to its ability to automatically derive features from vulnerable code. Unfortunately, current solutions struggle to focus on vulnerability-related parts of vulnerable functions, and tend to exploit spurious correlations for prediction, thus undermining their effectiveness in practice. In this paper, we propose Snopy, a novel DL-based approach, which bridges sample denoising with causal graph learning to capture real vulnerability patterns from vulnerable samples with numerous noise for effective detection. Specifically, Snopy adopts a change-based sample denoising approach to automatically weed out vulnerability-irrelevant code elements in the vulnerable functions without sacrificing the label accuracy. Then, Snopy constructs a novel Causality-Aware Graph Attention Network (CA-GAT) with Feature Caching Scheme (FCS) to learn causal vulnerability features while maintaining efficiency. Experiments on the three public benchmark datasets show that Snopy outperforms the state-of-the-art baselines by an average of 27.22%, 85.89%, and 75.50% in terms of F1-score, respectively.

Shengyi Pan,Lingfeng Bao,Xin Xia,David Lo,Shanping Li

DOI: https://doi.org/10.1109/icse48619.2023.00088

2023-01-01

Abstract:Identifying security patches via code commits to allow early warnings and timely fixes for Open Source Software (OSS) has received increasing attention. However, the existing detection methods can only identify the presence of a patch (i.e., a binary classification) but fail to pinpoint the vulnerability type. In this work, we take the first step to categorize the security patches into fine-grained vulnerability types. Specifically, we use the Common Weakness Enumeration (CWE) as the label and perform fine-grained classification using categories at the third level of the CWE tree. We first formulate the task as a Hierarchical Multi-label Classification (HMC) problem, i.e., inferring a path (a sequence of CWE nodes) from the root of the CWE tree to the node at the target depth. We then propose an approach named TREEVUL with a hierarchical and chained architecture, which manages to utilize the structure information of the CWE tree as prior knowledge of the classification task. We further propose a tree structure aware and beam search based inference algorithm for retrieving the optimal path with the highest merged probability. We collect a large security patch dataset from NVD, consisting of 6,541 commits from 1,560 GitHub OSS repositories. Experimental results show that TREEVUL significantly outperforms the best performing baselines, with improvements of 5.9%, 25.0%, and 7.7% in terms of weighted F1-score, macro F1-score, and MCC, respectively. We further conduct a user study and a case study to verify the practical value of TREEVUL in enriching the binary patch detection results and improving the data quality of NVD, respectively.

Jinfu Chen,Yemin Yin,Saihua Cai,Weijia Wang,Shengran Wang,Jiming Chen

DOI: https://doi.org/10.1016/j.scico.2024.103156

IF: 1.039

2024-01-01

Science of Computer Programming

Abstract:Software vulnerability detection is a challenging task in the security field, the boom of deep learning technology promotes the development of automatic vulnerability detection. Compared with sequence-based deep learning models, graph neural network (GNN) can learn the structural features of code, it performs well in the field of vulnerability detection for source code. However, different GNNs have different detection results for the same code, and using a single kind of GNN may lead to high false positive rate and false negative rate. In addition, the complex structure of source code causes single GNN model cannot effectively learn their depth feature, thereby leading to low detection accuracy. To solve these limitations, we propose a software vulnerability detection model called iGnnVD based on the integrated graph neural networks. In the proposed iGnnVD model, the base detectors including GCN, GAT and APPNP are first constructed to capture the bidirectional information in the code graph structure with bidirectional structure; And then, the residual connection is used to aggregate the features while retaining the features each time; Finally, the convolutional layer is used to perform the aggregated classification. In addition, an integration module that analyses the detection results of three detectors for final classification is designed using a voting strategy to solve the problem of high false positive rate and false negative rate caused by using a single kind of base detector. We perform extensive experiments on three datasets and experimental results show that the proposed iGnnVD model can improve the detection accuracy of vulnerabilities in source code as well as reduce the false positive rate and false negative rate compared with existing deep learning-based vulnerability detection models, it also has good stability.

Anshul Tanwar,Hariharan Manikandan,Krishna Sundaresan,Prasanna Ganesan,Sathish Kumar Chandrasekaran,Sriram Ravi

DOI: https://doi.org/10.48550/arXiv.2104.09225

2021-04-19

Abstract:Security issues in shipped code can lead to unforeseen device malfunction, system crashes or malicious exploitation by crackers, post-deployment. These vulnerabilities incur a cost of repair and foremost risk the credibility of the company. It is rewarding when these issues are detected and fixed well ahead of time, before release. Common Weakness Estimation (CWE) is a nomenclature describing general vulnerability patterns observed in C code. In this work, we propose a deep learning model that learns to detect some of the common categories of security vulnerabilities in source code efficiently. The AI architecture is an Attention Fusion model, that combines the effectiveness of recurrent, convolutional and self-attention networks towards decoding the vulnerability hotspots in code. Utilizing the code AST structure, our model builds an accurate understanding of code semantics with a lot less learnable parameters. Besides a novel way of efficiently detecting code vulnerability, an additional novelty in this model is to exactly point to the code sections, which were deemed vulnerable by the model. Thus helping a developer to quickly focus on the vulnerable code sections; and this becomes the "explainable" part of the vulnerability detection. The proposed AI achieves 98.40% F1-score on specific CWEs from the benchmarked NIST SARD dataset and compares well with state of the art.

Artificial Intelligence,Software Engineering

Xin-Cheng Wen,Cuiyun Gao,Jiaxin Ye,Yichen Li,Zhihong Tian,Yan Jia,Xuan Wang

2023-12-11

Abstract:In recent years, deep learning (DL)-based methods have been widely used in code vulnerability detection. The DL-based methods typically extract structural information from source code, e.g., code structure graph, and adopt neural networks such as Graph Neural Networks (GNNs) to learn the graph representations. However, these methods fail to consider the heterogeneous relations in the code structure graph, i.e., the heterogeneous relations mean that the different types of edges connect different types of nodes in the graph, which may obstruct the graph representation learning. Besides, these methods are limited in capturing long-range dependencies due to the deep levels in the code structure graph. In this paper, we propose a Meta-path based Attentional Graph learning model for code vulNErability deTection, called MAGNET. MAGNET constructs a multi-granularity meta-path graph for each code snippet, in which the heterogeneous relations are denoted as meta-paths to represent the structural information. A meta-path based hierarchical attentional graph neural network is also proposed to capture the relations between distant nodes in the graph. We evaluate MAGNET on three public datasets and the results show that MAGNET outperforms the best baseline method in terms of F1 score by 6.32%, 21.50%, and 25.40%, respectively. MAGNET also achieves the best performance among all the baseline methods in detecting Top-25 most dangerous Common Weakness Enumerations (CWEs), further demonstrating its effectiveness in vulnerability detection.

Software Engineering

Xu Duan,Jingzheng Wu,Shouling Ji,Zhiqing Rui,Tianyue Luo,Mutian Yang,Yanjun Wu

DOI: https://doi.org/10.24963/ijcai.2019/648

2019-01-01

Abstract:With the explosive development of information technology, vulnerabilities have become one of the major threats to computer security. Most vulnerabilities with similar patterns can be detected effectively by static analysis methods. However, some vulnerable and non-vulnerable code is hardly distinguishable, resulting in low detection accuracy. In this paper, we define the accurate identification of vulnerabilities in similar code as a fine-grained vulnerability detection problem. We propose VulSniper which is designed to detect fine-grained vulnerabilities more effectively. In VulSniper, attention mechanism is used to capture the critical features of the vulnerabilities. Especially, we use bottom-up and top-down structures to learn the attention weights of different areas of the program. Moreover, in order to fully extract the semantic features of the program, we generate the code property graph, design a 144-dimensional vector to describe the relation between the nodes, and finally encode the program as a feature tensor. VulSniper achieves F1-scores of 80.6% and 73.3% on the two benchmark datasets, the SARD Buffer Error dataset and the SARD Resource Management Error dataset respectively, which are significantly higher than those of the state-of-the-art methods.

Chunyong Zhang,Bin Liu,Qing-Hai Fan,Xin Yang,Hao Zhu

DOI: https://doi.org/10.36227/techrxiv.19783456.v1

2022-01-01

Abstract:Static code vulnerability detection is a critical topic in software security. Existing software analysis methods have a high rate of false positives and false negatives. Researchers are interested in employing deep learning to discover vulnerabilities automatically, thanks to the recent success of deep learning algorithms in other application domains.This paper aims at the problem of insufficient and effective extraction of syntax and semantics, the issue of data imbalance, and the problem of overlapping feature distributions between vulnerable and non-vulnerable samples. We illustrate how to create models in a more principled way. We build GSM, a systematic vulnerability detection model based on Graph Attention Network, Sampling methods, and Metric Learning, one phase for one problem solution. When compared to the state-of-the-art approaches, our method achieves 11.5%, 12.3%, 12.57%, and 7.90% improvement in Precision, Recall, F1-Score, and AUC, respectively. Finally, based on the methods proposed in each stage of this paper, we put forward directions and suggestions for more efficient vulnerability detection tasks in the following research.

Deqing Zou,Yawei Zhu,Shouhuai Xu,Zhen Li,Hai Jin,Hengkai Ye

DOI: https://doi.org/10.1145/3429444

IF: 3.685

2021-04-30

ACM Transactions on Software Engineering and Methodology

Abstract:Detecting software vulnerabilities is an important problem and a recent development in tackling the problem is the use of deep learning models to detect software vulnerabilities. While effective, it is hard to explain why a deep learning model predicts a piece of code as vulnerable or not because of the black-box nature of deep learning models. Indeed, the interpretability of deep learning models is a daunting open problem. In this article, we make a significant step toward tackling the interpretability of deep learning model in vulnerability detection. Specifically, we introduce a high-fidelity explanation framework, which aims to identify a small number of tokens that make significant contributions to a detector’s prediction with respect to an example. Systematic experiments show that the framework indeed has a higher fidelity than existing methods, especially when features are not independent of each other (which often occurs in the real world). In particular, the framework can produce some vulnerability rules that can be understood by domain experts for accepting a detector’s outputs (i.e., true positives) or rejecting a detector’s outputs (i.e., false-positives and false-negatives). We also discuss limitations of the present study, which indicate interesting open problems for future research.

computer science, software engineering

Deqing Zou,Yutao Hu,Wenke Li,Yueming Wu,Haojun Zhao,Hai Jin

DOI: https://doi.org/10.1109/tdsc.2022.3199769

2022-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Due to the powerful automatic feature extraction, deep learning-based vulnerability detection methods have evolved significantly in recent years. However, almost all current work focuses on detecting vulnerabilities at a single granularity (i.e., slice-level or function-level). In practice, slice-level vulnerability detection is fine-grained but may contain incomplete vulnerability details. Function-level vulnerability detection includes full vulnerability semantics but may contain vulnerability-unrelated statements. Meanwhile, they pay more attention to predicting whether the source code is vulnerable and cannot pinpoint which statements are more likely to be vulnerable. In this paper, we design mVulPreter, a multi-granularity vulnerability detector that can provide interpretations of detection results. Specifically, we propose a novel technique to effectively blend the advantages of function-level and slice-level vulnerability detection models and output the detection results' interpretation only by the model itself. We evaluate mVulPreter on a dataset containing 5,310 vulnerable functions and 7,601 non-vulnerable functions. The experimental results indicate that mVulPreter outperforms existing state-of-the-art vulnerability detection approaches (i.e., Checkmarx, FlawFinder, RATS, TokenCNN, StatementLSTM, SySeVR, and Devign).

computer science, information systems, software engineering, hardware & architecture

Jinfu Chen,Weijia Wang,Bo Liu,Saihua Cai,Dave Towey,Shengran Wang

DOI: https://doi.org/10.1016/j.infsof.2024.107453

IF: 3.9

2024-03-29

Information and Software Technology

Abstract:Context: Desirable characteristics in vulnerability-detection (VD) systems (VDSs) include both good detection capability (high accuracy, low false positive rate, low false negative rate, etc.) and low time overheads. The widely used VDSs based on models such as Recurrent Neural Networks (RNNs) have some problems, such as low time efficiency, failing to learn the vulnerability features better, and insufficent amounts of vulnerability features. Therefore, it is very important to construct an automatic detection model with high detection accuracy. Objective: This paper reports on training based on the source code to analyze and learn from the code's patterns and structures by deep-learning techniques to generate an efficient VD model that does not require manual feature design. Method: We propose a software VD model based on multi-feature fusion and deep neural networks called AIdetectorX-SP. It first uses a Temporal Convolutional Network (TCN) and adds a Self-attention Mechanism (SaM) to the TCN to build a model for extracting vulnerability logic features, then transforms the source code into an image input to a Convolutional Neural Network (CNN) to extract structural and semantic information. Finally, we use feature-fusion technology to design and implement an improved deep-learning-based VDS, called AIdetectorX Sequence with Picturization (AIdetectorX-SP). Results: We report on experiments conducted using publicly-available and widely-used datasets to evaluate the effectiveness of AIdetectorX-SP, with results indicating that AIdetectorX-SP is an effective VDS; that the combination of TCN and SaM can effectively extract vulnerability logic features; and that the pictorial code can extract code structure features, which can further improve the VD capability. Conclusion: In this paper, we propose a novel detection model for software vulnerability based on TCNs, SaM, and software picturization. The proposed model solves some shortcomings and limitations of existing VDSs, and obtains a high software-VD accuracy with a high degree of stability.

computer science, information systems, software engineering

Litao Li,Steven H. H. Ding,Yuan Tian,Benjamin C. M. Fung,Philippe Charland,Weihan Ou,Leo Song,Congwei Chen

DOI: https://doi.org/10.1145/3585386

IF: 2.717

2023-04-14

ACM Transactions on Privacy and Security

Abstract:Software vulnerabilities have been posing tremendous reliability threats to the general public as well as critical infrastructures, and there have been many studies aiming to detect and mitigate software defects at the binary level. Most of the standard practices leverage both static and dynamic analysis, which have several drawbacks like heavy manual workload and high complexity. Existing deep learning-based solutions not only suffer to capture the complex relationships among different variables from raw binary code but also lack the explainability required for humans to verify, evaluate, and patch the detected bugs. We propose VulANalyzeR, a deep learning-based model, for automated binary vulnerability detection, Common Weakness Enumeration-type classification, and root cause analysis to enhance safety and security. VulANalyzeR features sequential and topological learning through recurrent units and graph convolution to simulate how a program is executed. The attention mechanism is integrated throughout the model, which shows how different instructions and the corresponding states contribute to the final classification. It also classifies the specific vulnerability type through multi-task learning as this not only provides further explanation but also allows faster patching for zero-day vulnerabilities. We show that VulANalyzeR achieves better performance for vulnerability detection over the state-of-the-art baselines. Additionally, a Common Vulnerability Exposure dataset is used to evaluate real complex vulnerabilities. We conduct case studies to show that VulANalyzeR is able to accurately identify the instructions and basic blocks that cause the vulnerability even without given any prior knowledge related to the locations during the training phase.

computer science, information systems

Zihua Song,Junfeng Wang,Shengli Liu,Zhiyang Fang,Kaiyuan Yang

DOI: https://doi.org/10.1155/2022/1919907

IF: 1.968

2022-04-11

Security and Communication Networks

Abstract:Vulnerability detection on source code can prevent the risk of cyber-attacks as early as possible. However, lacking fine-grained analysis of the code has rendered the existing solutions still suffering from low performance; besides, the explosive growth of open-source projects has dramatically increased the complexity and diversity of the source code. This paper presents HGVul, a code vulnerability detection method based on heterogeneous intermediate representation of source code. The key of the proposed method is the fine-grained handling on heterogeneous source-level intermediate representation (SIR) without expert knowledge. It first extracts graph SIR of code with multiple syntactic-semantic information. Then, HGVul splits the SIR into different subgraphs according to various semantic relations, which are used to obtain semantic information conveyed by different types of edges. Next, a graph neural network with attention operations is deployed on each subgraph to learn representation, which captures the subtle effects from node neighbors on their representation. Finally, the learned code feature representations are utilized to perform vulnerability detection. Experiments are conducted on multiple datasets. The F1 of HGVul reaches 96.1% on the sample-balanced Big-Vul-VP dataset and 88.3% on the unbalanced Big-Vul dataset. Further experiments on actual open-source project datasets prove the better performance of HGVul.

computer science, information systems,telecommunications

Aidong Xu,Tao Dai,Huajun Chen,Zhe Ming,Weining Li

DOI: https://doi.org/10.1109/icsai.2018.8599360

2018-01-01

Abstract:With the development of Internet technology, software vulnerabilities have become a major threat to current computer security. In this work, we propose the vulnerability detection for source code using Contextual LSTM. Compared with CNN and LSTM, we evaluated the CLSTM on 23185 programs, which are collected from SARD. We extracted the features through the program slicing. Based on the features, we used the natural language processing to analysis programs with source code. The experimental results demonstrate that CLSTM has the best performance for vulnerability detection, reaching the accuracy of 96.711% and the F1 score of 0.96984.

Li Zhou,Minhuan Huang,Yujun Li,Yuanping Nie,Jin Li,Yiwei Liu

DOI: https://doi.org/10.48550/arXiv.2202.02501

2022-02-05

Abstract:With the continuous extension of the Industrial Internet, cyber incidents caused by software vulnerabilities have been increasing in recent years. However, software vulnerabilities detection is still heavily relying on code review done by experts, and how to automatedly detect software vulnerabilities is an open problem so far. In this paper, we propose a novel solution named GraphEye to identify whether a function of C/C++ code has vulnerabilities, which can greatly alleviate the burden of code auditors. GraphEye is originated from the observation that the code property graph of a non-vulnerable function naturally differs from the code property graph of a vulnerable function with the same functionality. Hence, detecting vulnerable functions is attributed to the graph classification <a class="link-external link-http" href="http://problem.GraphEye" rel="external noopener nofollow">this http URL</a> is comprised of VecCPG and GcGAT. VecCPG is a vectorization for the code property graph, which is proposed to characterize the key syntax and semantic features of the corresponding source code. GcGAT is a deep learning model based on the graph attention graph, which is proposed to solve the graph classification problem according to VecCPG. Finally, GraphEye is verified by the SARD Stack-based Buffer Overflow, Divide-Zero, Null Pointer Deference, Buffer Error, and Resource Error datasets, the corresponding F1 scores are 95.6%, 95.6%,96.1%,92.6%, and 96.1% respectively, which validate the effectiveness of the proposed solution.

Cryptography and Security,Machine Learning

Baijun Cheng,Mingsheng Zhao,Kailong Wang,Meizhen Wang,Guangdong Bai,Ruitao Feng,Yao Guo,Lei Ma,Haoyu Wang

DOI: https://doi.org/10.1145/3641543

IF: 3.685

2024-01-31

ACM Transactions on Software Engineering and Methodology

Abstract:Abstract : Vulnerability detectors based on deep learning (DL) models have proven their effectiveness in recent years. However, the shroud of opacity surrounding the decision-making process of these detectors makes it difficult for security analysts to comprehend. To address this, various explanation approaches have been proposed to explain the predictions by highlighting important features, which have been demonstrated effective in other domains such as computer vision and natural language processing. Unfortunately, an in-depth evaluation of vulnerability-critical features, such as fine-grained vulnerability-related code lines, learned and understood by these explanation approaches remains lacking. In this study, we first evaluate the performance of ten explanation approaches for vulnerability detectors based on graph and sequence representations, measured by two quantitative metrics including fidelity and vulnerability line coverage rate. Our results show that fidelity alone is not sufficient for evaluating these approaches, as fidelity incurs significant fluctuations across different datasets and detectors. We subsequently check the precision of the vulnerability-related code lines reported by the explanation approaches, and find poor accuracy in this task among all of them. This can be attributed to the inefficiency of explainers in selecting important features and the presence of irrelevant artifacts learned by DL-based detectors.

computer science, software engineering

Feng Luo,Ruijie Luo,Ting Chen,Ao Qiao,Zheyuan He,Shuwei Song,Yu Jiang,Sixing Li

DOI: https://doi.org/10.1145/3597503.3639213

2023-01-01

Abstract:Due to the rapid development of blockchain, security issues caused by smart contract vulnerabilities are receiving increasingly widespread attention. Unfortunately, traditional smart contract vulnerability detection methods rely heavily on expert knowledge and elaborate rules, while neural network-based vulnerability detection methods have not yet achieved satisfactory accuracy either. In this paper, we propose a novel vulnerability detection method for smart contracts called VULDET. We first construct a contract graph based on the structure of the smart contract source code and combine security domain knowledge to attach additional features to nodes in the graph that are closely associated with vulnerabilities to highlight key nodes, and finally use graph attention networks for contract vulnerability detection. We apply VULDET to reentrancy vulnerability as well as timestamp dependency vulnerability detection and conduct extensive experiments, and the results show that our approach has significant advantages over existing methods.

Arash Mahyari

DOI: https://doi.org/10.48550/arXiv.2211.08517

2022-11-15

Cryptography and Security

Abstract:Software vulnerabilities, caused by unintentional flaws in source codes, are the main root cause of cyberattacks. Source code static analysis has been used extensively to detect the unintentional defects, i.e. vulnerabilities, introduced into the source codes by software developers. In this paper, we propose a deep learning approach to detect vulnerabilities from their LLVM IR representations based on the techniques that have been used in natural language processing. The proposed approach uses a hierarchical process to first identify source codes with vulnerabilities, and then it identifies the lines of codes that contribute to the vulnerability within the detected source codes. This proposed two-step approach reduces the false alarm of detecting vulnerable lines. Our extensive experiment on real-world and synthetic codes collected in NVD and SARD shows high accuracy (about 98\%) in detecting source code vulnerabilities.

Baijun Cheng,Kailong Wang,Cuiyun Gao,Xiapu Luo,Yulei Sui,Li Li,Yao Guo,Xiangqun Chen,Haoyu Wang

2024-02-21

Abstract:Vulnerability detection is a crucial component in the software development lifecycle. Existing vulnerability detectors, especially those based on deep learning (DL) models, have achieved high effectiveness. Despite their capability of detecting vulnerable code snippets from given code fragments, the detectors are typically unable to further locate the fine-grained information pertaining to the vulnerability, such as the precise vulnerability triggering

Software Engineering