Xin-Cheng Wen,Zirui Lin,Cuiyun Gao,Hongyu Zhang,Yong Wang,Qing Liao

2024-12-11

Abstract:Software vendors often silently release security patches without providing sufficient advisories (e.g., Common Vulnerabilities and Exposures) or delayed updates via resources (e.g., National Vulnerability Database). Therefore, it has become crucial to detect these security patches to ensure secure software maintenance. However, existing methods face the following challenges: (1) They primarily focus on the information within the patches themselves, overlooking the complex dependencies in the repository. (2) Security patches typically involve multiple functions and files, increasing the difficulty in well learning the representations. To alleviate the above challenges, this paper proposes a Repository-level Security Patch Detection framework named RepoSPD, which comprises three key components: 1) a repository-level graph construction, RepoCPG, which represents software patches by merging pre-patch and post-patch source code at the repository level; 2) a structure-aware patch representation, which fuses the graph and sequence branch and aims at comprehending the relationship among multiple code changes; 3) progressive learning, which facilitates the model in balancing semantic and structural information. To evaluate RepoSPD, we employ two widely-used datasets in security patch detection: SPI-DB and PatchDB. We further extend these datasets to the repository level, incorporating a total of 20,238 and 28,781 versions of repository in C/C++ programming languages, respectively, denoted as SPI-DB* and PatchDB*. We compare RepoSPD with six existing security patch detection methods and five static tools. Our experimental results demonstrate that RepoSPD outperforms the state-of-the-art baseline, with improvements of 11.90%, and 3.10% in terms of accuracy on the two datasets, respectively.

Software Engineering,Artificial Intelligence,Cryptography and Security

Sicong Cao,Xiaobing Sun,Xiaoxue Wu,David Lo,Lili Bo,Bin Li,Xiaolei Liu,Xingwei Lin,Wei Liu

DOI: https://doi.org/10.1145/3691620.3695057

2024-01-01

Abstract:Deep Learning (DL) has emerged as a promising means for vulnerability detection due to its ability to automatically derive features from vulnerable code. Unfortunately, current solutions struggle to focus on vulnerability-related parts of vulnerable functions, and tend to exploit spurious correlations for prediction, thus undermining their effectiveness in practice. In this paper, we propose Snopy, a novel DL-based approach, which bridges sample denoising with causal graph learning to capture real vulnerability patterns from vulnerable samples with numerous noise for effective detection. Specifically, Snopy adopts a change-based sample denoising approach to automatically weed out vulnerability-irrelevant code elements in the vulnerable functions without sacrificing the label accuracy. Then, Snopy constructs a novel Causality-Aware Graph Attention Network (CA-GAT) with Feature Caching Scheme (FCS) to learn causal vulnerability features while maintaining efficiency. Experiments on the three public benchmark datasets show that Snopy outperforms the state-of-the-art baselines by an average of 27.22%, 85.89%, and 75.50% in terms of F1-score, respectively.

Jinfu Chen,Yemin Yin,Saihua Cai,Weijia Wang,Shengran Wang,Jiming Chen

DOI: https://doi.org/10.1016/j.scico.2024.103156

IF: 1.039

2024-01-01

Science of Computer Programming

Abstract:Software vulnerability detection is a challenging task in the security field, the boom of deep learning technology promotes the development of automatic vulnerability detection. Compared with sequence-based deep learning models, graph neural network (GNN) can learn the structural features of code, it performs well in the field of vulnerability detection for source code. However, different GNNs have different detection results for the same code, and using a single kind of GNN may lead to high false positive rate and false negative rate. In addition, the complex structure of source code causes single GNN model cannot effectively learn their depth feature, thereby leading to low detection accuracy. To solve these limitations, we propose a software vulnerability detection model called iGnnVD based on the integrated graph neural networks. In the proposed iGnnVD model, the base detectors including GCN, GAT and APPNP are first constructed to capture the bidirectional information in the code graph structure with bidirectional structure; And then, the residual connection is used to aggregate the features while retaining the features each time; Finally, the convolutional layer is used to perform the aggregated classification. In addition, an integration module that analyses the detection results of three detectors for final classification is designed using a voting strategy to solve the problem of high false positive rate and false negative rate caused by using a single kind of base detector. We perform extensive experiments on three datasets and experimental results show that the proposed iGnnVD model can improve the detection accuracy of vulnerabilities in source code as well as reduce the false positive rate and false negative rate compared with existing deep learning-based vulnerability detection models, it also has good stability.

Kedi Shen,Yun Zhang,Lingfeng Bao,Zhiyuan Wan,Zhuorong Li,Minghui Wu

DOI: https://doi.org/10.1109/ICSE-COMPANION58688.2023.00049

2023-01-01

Abstract:With the rapid development of open source projects, the continuous emergence of vulnerabilities in the project brings great challenges to the security of the project. Security patches are one of the best ways to deal with vulnerabilities, but are not well applied currently. Although there are sites like CVE/NVD that provide information about vulnerabilities, many of the vulnerabilities disclosed by CVE/NVD are not accompanied by security patches. This makes it difficult for developers to apply patches. In the present study, a sorting method based on extracting multidimensional features from auxiliary information in CVE/NVD was proposed. And we made a further step, we proposed VCMATCH, a model for mining semantic information in vulnerability description and code commit messages, which has good recall rate and applicability across projects. On this basis, we established Patchmatch, a tool for helping developers to quickly locate patches. Given a vulnerability, Patchmatch can forecast the implicit patches in the code repository's commits. Patchmatch also has a visual webpage for information statistics and a display web page to help developers manage all kinds of information in the code repository. A demo video of Patchmatch is at https://www.youtube.com/watch?v=nOBSMFtZV8A. Patchmatch is in https://github.com/Sklud1456/patchmatch.

Yaqin Zhou,Jing Kai Siow,Chenyu Wang,Shangqing Liu,Yang Liu

DOI: https://doi.org/10.1145/3468854

IF: 3.685

2022-01-31

ACM Transactions on Software Engineering and Methodology

Abstract:Security patches in open source software, providing security fixes to identified vulnerabilities, are crucial in protecting against cyber attacks. Security advisories and announcements are often publicly released to inform the users about potential security vulnerability. Despite the National Vulnerability Database (NVD) publishes identified vulnerabilities, a vast majority of vulnerabilities and their corresponding security patches remain beyond public exposure, e.g., in the open source libraries that are heavily relied on by developers. As many of these patches exist in open sourced projects, the problem of curating and gathering security patches can be difficult due to their hidden nature. An extensive and complete security patches dataset could help end-users such as security companies, e.g., building a security knowledge base, or researcher, e.g., aiding in vulnerability research. To efficiently curate security patches including undisclosed patches at large scale and low cost, we propose a deep neural-network-based approach built upon commits of open source repositories. First, we design and build security patch datasets that include 38,291 security-related commits and 1,045 Common Vulnerabilities and Exposures (CVE) patches from four large-scale C programming language libraries. We manually verify each commit, among the 38,291 security-related commits, to determine if they are security related. We devise and implement a deep learning-based security patch identification system that consists of two composite neural networks: one commit-message neural network that utilizes pretrained word representations learned from our commits dataset and one code-revision neural network that takes code before revision and after revision and learns the distinction on the statement level. Our system leverages the power of the two networks for Security Patch Identification. Evaluation results show that our system significantly outperforms SVM and K-fold stacking algorithms. The result on the combined dataset achieves as high as 87.93% F1-score and precision of 86.24%. We deployed our pipeline and learned model in an industrial production environment to evaluate the generalization ability of our approach. The industrial dataset consists of 298,917 commits from 410 new libraries that range from a wide functionalities. Our experiment results and observation on the industrial dataset proved that our approach can identify security patches effectively among open sourced projects.

computer science, software engineering

Xunzhu Tang,zhenghan Chen,Saad Ezzini,Haoye Tian,Yewei Song,Jacques Klein,Tegawende F. Bissyande

DOI: https://doi.org/10.48550/arXiv.2308.15233

2023-08-29

Software Engineering

Abstract:The growth of open-source software has increased the risk of hidden vulnerabilities that can affect downstream software applications. This concern is further exacerbated by software vendors' practice of silently releasing security patches without explicit warnings or common vulnerability and exposure (CVE) notifications. This lack of transparency leaves users unaware of potential security threats, giving attackers an opportunity to take advantage of these vulnerabilities. In the complex landscape of software patches, grasping the nuanced semantics of a patch is vital for ensuring secure software maintenance. To address this challenge, we introduce a multilevel Semantic Embedder for security patch detection, termed MultiSEM. This model harnesses word-centric vectors at a fine-grained level, emphasizing the significance of individual words, while the coarse-grained layer adopts entire code lines for vector representation, capturing the essence and interrelation of added or removed lines. We further enrich this representation by assimilating patch descriptions to obtain a holistic semantic portrait. This combination of multi-layered embeddings offers a robust representation, balancing word complexity, understanding code-line insights, and patch descriptions. Evaluating MultiSEM for detecting patch security, our results demonstrate its superiority, outperforming state-of-the-art models with promising margins: a 22.46\% improvement on PatchDB and a 9.21\% on SPI-DB in terms of the F1 metric.

Shengyi Pan,Lingfeng Bao,Xin Xia,David Lo,Shanping Li

DOI: https://doi.org/10.1109/icse48619.2023.00088

2023-01-01

Abstract:Identifying security patches via code commits to allow early warnings and timely fixes for Open Source Software (OSS) has received increasing attention. However, the existing detection methods can only identify the presence of a patch (i.e., a binary classification) but fail to pinpoint the vulnerability type. In this work, we take the first step to categorize the security patches into fine-grained vulnerability types. Specifically, we use the Common Weakness Enumeration (CWE) as the label and perform fine-grained classification using categories at the third level of the CWE tree. We first formulate the task as a Hierarchical Multi-label Classification (HMC) problem, i.e., inferring a path (a sequence of CWE nodes) from the root of the CWE tree to the node at the target depth. We then propose an approach named TREEVUL with a hierarchical and chained architecture, which manages to utilize the structure information of the CWE tree as prior knowledge of the classification task. We further propose a tree structure aware and beam search based inference algorithm for retrieving the optimal path with the highest merged probability. We collect a large security patch dataset from NVD, consisting of 6,541 commits from 1,560 GitHub OSS repositories. Experimental results show that TREEVUL significantly outperforms the best performing baselines, with improvements of 5.9%, 25.0%, and 7.7% in terms of weighted F1-score, macro F1-score, and MCC, respectively. We further conduct a user study and a case study to verify the practical value of TREEVUL in enriching the binary patch detection results and improving the data quality of NVD, respectively.

Xinda Wang,Shu Wang,Pengbin Feng,Kun Sun,Sushil Jajodia,Sanae Benchaaboun,Frank Geck

DOI: https://doi.org/10.1109/MILCOM52596.2021.9652940

2023-01-06

Abstract:With the increasing usage of open-source software (OSS) components, vulnerabilities embedded within them are propagated to a huge number of underlying applications. In practice, the timely application of security patches in downstream software is challenging. The main reason is that such patches do not explicitly indicate their security impacts in the documentation, which would be difficult to recognize for software maintainers and users. However, attackers can still identify these "secret" security patches by analyzing the source code and generate corresponding exploits to compromise not only unpatched versions of the current software, but also other similar software packages that may contain the same vulnerability due to code cloning or similar design/implementation logic. Therefore, it is critical to identify these secret security patches to enable timely fixes. To this end, we propose a deep learning-based defense system called PatchRNN to automatically identify secret security patches in OSS. Besides considering descriptive keywords in the commit message (i.e., at the text level), we leverage both syntactic and semantic features at the source-code level. To evaluate the performance of our system, we apply it on a large-scale real-world patch dataset and conduct a case study on a popular open-source web server software - NGINX. Experimental results show that the PatchRNN can successfully detect secret security patches with a low false positive rate.

Cryptography and Security,Software Engineering

Mei Han,Lulu Wang,Jianming Chang,Bixin Li,Chunguang Zhang

2024-09-13

Abstract:Software projects are dependent on many third-party libraries, therefore high-risk vulnerabilities can propagate through the dependency chain to downstream projects. Owing to the subjective nature of patch management, software vendors commonly fix vulnerabilities silently. Silent vulnerability fixes cause downstream software to be unaware of urgent security issues in a timely manner, posing a security risk to the software. Presently, most of the existing works for vulnerability fix identification only consider the changed code as a sequential textual sequence, ignoring the structural information of the code. In this paper, we propose GRAPE, a GRAph-based Patch rEpresentation that aims to 1) provide a unified framework for getting vulnerability fix patches representation; and 2) enhance the understanding of the intent and potential impact of patches by extracting structural information of the code. GRAPE employs a novel joint graph structure (MCPG) to represent the syntactic and semantic information of fix patches and embeds both nodes and edges. Subsequently, a carefully designed graph convolutional neural network (NE-GCN) is utilized to fully learn structural features by leveraging the attributes of the nodes and edges. Moreover, we construct a dataset containing 2251 silent fixes. For the experimental section, we evaluated patch representation on three tasks, including vulnerability fix identification, vulnerability types classification, and vulnerability severity classification. Experimental results indicate that, in comparison to baseline methods, GRAPE can more effectively reduce false positives and omissions of vulnerability fixes identification and provide accurate vulnerability assessments.

Software Engineering

Xu He,Shu Wang,Pengbin Feng,Xinda Wang,Shiyu Sun,Qi Li,Kun Sun

DOI: https://doi.org/10.48550/arXiv.2312.07921

2023-12-13

Abstract:A timely software update is vital to combat the increasing security vulnerabilities. However, some software vendors may secretly patch their vulnerabilities without creating CVE entries or even describing the security issue in their change log. Thus, it is critical to identify these hidden security patches and defeat potential N-day attacks. Researchers have employed various machine learning techniques to identify security patches in open-source software, leveraging the syntax and semantic features of the software changes and commit messages. However, all these solutions cannot be directly applied to the binary code, whose instructions and program flow may dramatically vary due to different compilation configurations. In this paper, we propose BinGo, a new security patch detection system for binary code. The main idea is to present the binary code as code property graphs to enable a comprehensive understanding of program flow and perform a language model over each basic block of binary code to catch the instruction semantics. BinGo consists of four phases, namely, patch data pre-processing, graph extraction, embedding generation, and graph representation learning. Due to the lack of an existing binary security patch dataset, we construct such a dataset by compiling the pre-patch and post-patch source code of the Linux kernel. Our experimental results show BinGo can achieve up to 80.77% accuracy in identifying security patches between two neighboring versions of binary code. Moreover, BinGo can effectively reduce the false positives and false negatives caused by the different compilers and optimization levels.

Cryptography and Security,Software Engineering

Wenjing Cai,Junlin Chen,Jiaping Yu,Lipeng Gao

DOI: https://doi.org/10.1016/j.infsof.2023.107328

IF: 3.9

2023-12-01

Information and Software Technology

Abstract:The increasing size and complexity of software programs have made them an integral part of modern society’s infrastructure, making software vulnerabilities a major threat to computer security. To address this issue, the use of deep learning-based software vulnerability detection methods has become increasingly popular. Although the effectiveness of the deep learning-based methods has been demonstrated, these methods have faced challenges in scalability and detection performance. To tackle this challenge, we propose a new vulnerability detection method based on deep learning with complex network analysis and subgraph partition that enhances detection accuracy while maintaining scalability. The method uses complex network analysis theory to convert the CPG into an image-like matrix, and then utilizes TextCNN for vulnerability detection. As a result, our method shows a 6% improvement in accuracy and a 10% reduction in false positive rates compared to state-of-the-art methods. In addition, our approach is able to detect some of the vulnerabilities recently released by CVE.

computer science, information systems, software engineering

Xunzhu Tang,Zhenghan Chen,Kisub Kim,Haoye Tian,Saad Ezzini,Jacques Klein

2024-11-26

Abstract:Open-source code is pervasive. In this setting, embedded vulnerabilities are spreading to downstream software at an alarming rate. While such vulnerabilities are generally identified and addressed rapidly, inconsistent maintenance policies may lead security patches to go unnoticed. Indeed, security patches can be {\em silent}, i.e., they do not always come with comprehensive advisories such as CVEs. This lack of transparency leaves users oblivious to available security updates, providing ample opportunity for attackers to exploit unpatched vulnerabilities. Consequently, identifying silent security patches just in time when they are released is essential for preventing n-day attacks, and for ensuring robust and secure maintenance practices. With LLMDA we propose to (1) leverage large language models (LLMs) to augment patch information with generated code change explanations, (2) design a representation learning approach that explores code-text alignment methodologies for feature combination, (3) implement a label-wise training with labelled instructions for guiding the embedding based on security relevance, and (4) rely on a probabilistic batch contrastive learning mechanism for building a high-precision identifier of security patches. We evaluate LLMDA on the PatchDB and SPI-DB literature datasets and show that our approach substantially improves over the state-of-the-art, notably GraphSPD by 20% in terms of F-Measure on the SPI-DB benchmark.

Cryptography and Security,Artificial Intelligence

Wangshu Liu,Ye Yue,Xiang Chen,Qing Gu,Pengzhan Zhao,Xuejun Liu,Jianjun Zhao

DOI: https://doi.org/10.1016/j.infsof.2024.107510

IF: 3.9

2024-06-23

Information and Software Technology

Abstract:Context: Constructing an effective defect prediction model relies on a substantial number of labeled program modules. Unfortunately, program module labeling is often time-consuming and error-prone. Semi-supervised software defect prediction (SSDP) can alleviate this issue by incorporating some labeled modules and the remaining unlabeled modules from the same project. Objective: However, previous SSDP methods ignore the significant influence of dependencies between software modules. The potential of knowledge distillation in leveraging labeled instances to guide the learning process and effectively utilizing information from unlabeled instances to improve SSDP performance has not been fully investigated. Method: We propose a novel approach SeDPGK. Specifically, to exploit the graph-structured knowledge, we first construct the program dependence graph to extract control and data dependencies among modules. Then we use graph neural networks (GNNs) to learn the graph representation of the module relationships and encode with the statement semantics of abstract syntax tree and traditional static features for diversity. Second, we integrate multiple GNNs jointly trained as teacher models to ensemble various styles of graph-based networks and generate trustworthy labels for unlabeled modules. Further, to preserve the teacher model's sufficient structure and semantic knowledge, we adopt a trainable label propagation and multi-layer perception as the student model and mitigate the differences between the teacher and student models using two widespread knowledge distillation functions. Results: We conducted our experiments on 17 real-world projects. The experimental results show that SeDPGK outperforms semi-supervised baselines with an average improvement of 16.9% for PD, 42.5% for FAR, and 8.9% for AUC, respectively. Moreover, the performance improvement is consistently significant across multiple statistical tests. Conclusion: The effectiveness of SeDPGK comes from the aggregation of the different GNNs with heterogeneity. Moreover, the graph structure and semantic features hidden behind the source code play a crucial role in the distillation framework.

computer science, information systems, software engineering

Yufan Zhuang,Sahil Suneja,Veronika Thost,Giacomo Domeniconi,Alessandro Morari,Jim Laredo

DOI: https://doi.org/10.48550/arXiv.2109.03341

2021-09-08

Abstract:Identifying vulnerable code is a precautionary measure to counter software security breaches. Tedious expert effort has been spent to build static analyzers, yet insecure patterns are barely fully enumerated. This work explores a deep learning approach to automatically learn the insecure patterns from code corpora. Because code naturally admits graph structures with parsing, we develop a novel graph neural network (GNN) to exploit both the semantic context and structural regularity of a program, in order to improve prediction performance. Compared with a generic GNN, our enhancements include a synthesis of multiple representations learned from the several parsed graphs of a program, and a new training loss metric that leverages the fine granularity of labeling. Our model outperforms multiple text, image and graph-based approaches, across two real-world datasets.

Artificial Intelligence,Software Engineering

Huijiang Liu,Shuirou Jiang,Xuexin Qi,Yang Qu,Hui Li,Tingting Li,Cheng Guo,Shikai Guo

DOI: https://doi.org/10.1016/j.eswa.2023.121764

IF: 8.5

2023-10-07

Expert Systems with Applications

Abstract:Code vulnerabilities are common in software systems and may cause many problems, including Stack Overflow, memory leaks, and so on. Public reports show that code vulnerabilities are increasing year by year, which brings greater threats to the security of software systems. Thus a variety of neural network models have been developed to detect code vulnerabilities. However, the previous neural network models cannot fully express the semantics and structure of the code with as little overhead as possible, and they also cannot enhance learning of difficult samples. Addressing to this issue, we designed a model built upon GGNN for Detecting Software Vulnerabilities (GDSV), which contains three components. Specifically, Graph Embedding component extracts the semantic and structural features, and generates a graph representation of the code; GGNN component learns these features and detects vulnerabilities in the code; weighted component improves the learning ability of Vulnerable samples through the Focal Loss function. A serial of experiments on the datasets of FFmpeg and QEMU were conducted, and the results show that GDSV performs better than the state-of-the-art efforts based on various widely used evaluations.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Peng Xiao,Qibin Xiao,Xusheng Zhang,Yumei Wu,Fengyu Yang

DOI: https://doi.org/10.1109/tifs.2024.3392536

IF: 7.231

2024-05-10

IEEE Transactions on Information Forensics and Security

Abstract:The detection of program vulnerabilities remains a challenging task in software security. The existing vulnerability detection methods rarely consider the multidimensional feature space complementarity of program graph structures, which easily overlooks contextual environment features and syntax structure features. This disadvantage leads to insufficient performance in capturing complex structural features, which hinders the improvement in detection accuracy. To address this issue, this paper introduces a novel vulnerability detection method, EnGS2F, which adopts the representation learning of an enhanced graph structure to improve the efficiency of capturing vulnerability information. On the dimension of the graph structure, a context relationship graph (CRG) is integrated on the basis of a program dependency graph (PDG) to enrich the global structural context representation. On the dimension of graph nodes, abstract syntax tree (AST) embedding and paragraph embedding are integrated to solve the problem of insufficient feature space complementarity. Moreover, the combination of a gated graph neural network (GGNN) with a graph attention mechanism further improves the learning performance of the enhanced graph structure. EnGS2F has been rigorously evaluated on program slices from open-source vulnerability datasets, demonstrating significant improvements over current competitive methods in detecting program vulnerabilities. Specifically, EnGS2F achieved a significant increase in the F1 score, outperforming existing technologies by 6%.

computer science, theory & methods,engineering, electrical & electronic

Ruyan Lin,Yulong Fu,Wei Yi,Jincheng Yang,Jin Cao,Zhiqiang Dong,Fei Xie,Hui Li

DOI: https://doi.org/10.1145/3694782

IF: 16.6

2024-10-09

ACM Computing Surveys

Abstract:Over the past decade, Open Source Software (OSS) has experienced rapid growth and widespread adoption, attributed to its openness and editability. However, this expansion has also brought significant security challenges, particularly introducing and propagating software vulnerabilities. Despite the use of machine learning and formal methods to tackle these issues, there remains a notable gap in comprehensive surveys that summarize and analyze both Vulnerability Detection (VD) and Security Patch Detection (SPD) in OSS. This article seeks to bridge this gap through an extensive survey that evaluates 127 technical studies published between 2014 and 2023, structured around the Vulnerability-Patch lifecycle. We begin by delineating the six critical events that constitute the Vulnerability-Patch lifecycle, leading to an in-depth exploration of the Vulnerability-Patch ecosystem. We then systematically review the databases commonly used in VD and SPD, and analyze their characteristics. Subsequently, we examine existing VD methods, focusing on traditional and deep learning based approaches. Additionally, we organize current security patch identification methods by kernel type and discuss techniques for detecting the presence of security patches. Based on our comprehensive review, we identify open research questions and propose future research directions that merit further exploration.

computer science, theory & methods

Sha Peng,Mengxiang Liu,Li Chai,Ruilong Deng

DOI: https://doi.org/10.1109/tsg.2024.3445113

IF: 10.275

2024-01-01

IEEE Transactions on Smart Grid

Abstract:The increasing deployment of solar photovoltaic (PV) systems in the electric grid, aimed at addressing the energy crisis and surging power demands, has expanded the potential vulnerability to cyberattacks due to the inter-networking of the grid-connected power electronics converters. In this paper, we propose a dynamic spatiotemporal graph neural network (DST-GNN) for cyberattack detection in grid-tied PV systems. Specifically, to exploit the inherent graph topology of the grid-tied PV system, we start by employing a GNN with a dynamic weighted adjacency matrix to capture the latent spatial correlations within signal data. Then, a one-dimensional convolution neural network (1D-CNN) is utilized to extract the underlying temporal patterns. Notably, we leverage the system dynamics to determine the dynamic graph weights and the number of graph convolution layers, while the hyper-parameters of 1D-CNN are designed based on the periodicity of input signals. Finally, the integration of the priori physical system knowledge further enhances the interpretability and improves the detection performance of DST-GNN. To the best of our knowledge, this is the first work that embeds the grid-tied PV system into a graph structure for cyberattack detection. The effectiveness of DST-GNN is evaluated through comprehensive case studies on a hardware-in-the-loop (HIL) grid-tied PV testbed, and numerical results demonstrate its superiority over baseline methods.

Arthur D. Sawadogo,Tegawendé F. Bissyandé,Naouel Moha,Kevin Allix,Jacques Klein,Li Li,Yves Le Traon

DOI: https://doi.org/10.48550/arXiv.2001.09148

2020-01-25

Abstract:Timely patching is paramount to safeguard users and maintainers against dire consequences of malicious attacks. In practice, patching is prioritized following the nature of the code change that is committed in the code repository. When such a change is labeled as being security-relevant, i.e., as fixing a vulnerability, maintainers rapidly spread the change and users are notified about the need to update to a new version of the library or of the application. Unfortunately, oftentimes, some security-relevant changes go unnoticed as they represent silent fixes of vulnerabilities. In this paper, we propose a Co-Training-based approach to catch security patches as part of an automatic monitoring service of code repositories. Leveraging different classes of features, we empirically show that such automation is feasible and can yield a precision of over 90% in identifying security patches, with an unprecedented recall of over 80%. Beyond such a benchmarking with ground truth data which demonstrates an improvement over the state-of-the-art, we confirmed that our approach can help catch security patches that were not reported as such.

Software Engineering

Wei Tang,Mingwei Tang,Minchao Ban,Ziguo Zhao,Mingjun Feng

DOI: https://doi.org/10.1016/j.jss.2023.111623

IF: 3.5

2023-02-01

Journal of Systems and Software

Abstract:In order to secure software, it is critical to detect potential vulnerabilities. The performance of traditional static vulnerability detection methods is limited by predefined rules, which rely heavily on the expertise of developers. Existing deep learning-based vulnerability detection models usually use only a single sequence or graph embedding approach to extract vulnerability features. Sequence embedding-based models ignore the structured information inherent in the code, and graph embedding-based models lack effective node and graph embedding methods. As a result, we propose a novel deep learning-based approach, CSGVD ( C ombining S equence and G raph embedding for V ulnerability D etection), which considers function-level vulnerability detection as a graph binary classification task. Firstly, we propose a PE-BL module, which inherits and enhances the knowledge from the pre-trained language model. It extracts the code's local semantic features as node embedding in the control flow graph by using sequence embedding. Secondly, CSGVD uses graph neural networks to extract the structured information of the graph. Finally, we propose a mean biaffine attention pooling, M-BFA, to better aggregate node information as a graph's feature representation. The experimental results show that CSGVD outperforms the existing state-of-the-art models and obtains 64.46% accuracy on the real-world benchmark dataset from CodeXGLUE for vulnerability detection.

computer science, theory & methods, software engineering