计算机工程与应用 ›› 2024, Vol. 60 ›› Issue (3): 292-298.DOI: 10.3778/j.issn.1002-8331.2209-0420

• 网络、通信与安全 • 上一篇    下一篇

基于深层图卷积网络与注意力的漏洞检测方法

肖鹏,张旭升,杨丰玉,郑巍   

  1. 南昌航空大学 软件学院,南昌 330063
  • 出版日期:2024-02-01 发布日期:2024-02-01

Vulnerability Detection Based on Deep Graph Convolutional Network and Attention Mechanism

XIAO Peng, ZHANG Xusheng, YANG Fengyu, ZHENG Wei   

  1. School of Software, Nanchang Hangkong University, Nanchang 330063, China
  • Online:2024-02-01 Published:2024-02-01

摘要: 针对现有基于图神经网络的漏洞挖掘方法中缺乏上下文环境信息而导致图结构特征不全面,以及过平滑问题使模型无法学习图结构高阶特征导致预测性能不佳的问题,提出一种基于深层图卷积网络与图注意力的漏洞检测方法PSG-GCNIIAT。在程序依赖关系图基础上,PSG融合顺序关系图,令代码行语句具备感知其上下文信息能力,通过抽象语法树来生成代码行的嵌入向量,实现图节点深层结构特征提取;GCNIIAT采用深层图卷积网络GCNII,结合图注意力机制,更有效地识别程序切片的图结构特征与漏洞关联。实验结果表明,PSG-GCNIIAT漏洞检测方法比VulDeePecker、GCN、GGNN在准确率和F值指标上具有明显优势,能够显著提升程序漏洞检测的性能。

关键词: 程序漏洞, 图注意力, 深层图卷积网络, 图结构特征

Abstract: To address the problem of incomplete graph structure features due to the lack of contextual information in existing graph neural network-based vulnerability mining methods and the problem of over-smoothing that prevents the model from learning higher-order features of the graph structure resulting in poor prediction performance, a vulnerability detection method based on deep graph convolutional networks and attention mechanism, PSG-GCNIIAT, is proposed. PSG fuses order relational graphs on the basis of program dependency graphs so that code statements have the ability to sense their contextual information, and generates embedding vectors of code lines by abstracting syntax trees to achieve deep structure feature extraction of graph nodes. GCNIIAT uses a deep graph convolutional network, GCNII, combined with a graph attention mechanism to more effectively identify graph structure features of program slices associated with vulnerabilities. The experimental results show that the vulnerability detection model PSG-GCNIIAT has obvious advantages over VulDeePecker, GCN and GGNN in accuracy and F value, and it can effectively improve the performance of program vulnerability detection.

Key words: program vulnerability, graph attention, deep graph convolutional network, graph structural features