基于深层图卷积网络与注意力的漏洞检测方法

doi:10.3778/j.issn.1002-8331.2209-0420

摘要/Abstract

摘要： 针对现有基于图神经网络的漏洞挖掘方法中缺乏上下文环境信息而导致图结构特征不全面，以及过平滑问题使模型无法学习图结构高阶特征导致预测性能不佳的问题，提出一种基于深层图卷积网络与图注意力的漏洞检测方法PSG-GCNIIAT。在程序依赖关系图基础上，PSG融合顺序关系图，令代码行语句具备感知其上下文信息能力，通过抽象语法树来生成代码行的嵌入向量，实现图节点深层结构特征提取；GCNIIAT采用深层图卷积网络GCNII，结合图注意力机制，更有效地识别程序切片的图结构特征与漏洞关联。实验结果表明，PSG-GCNIIAT漏洞检测方法比VulDeePecker、GCN、GGNN在准确率和F值指标上具有明显优势，能够显著提升程序漏洞检测的性能。

关键词: 程序漏洞, 图注意力, 深层图卷积网络, 图结构特征

Abstract: To address the problem of incomplete graph structure features due to the lack of contextual information in existing graph neural network-based vulnerability mining methods and the problem of over-smoothing that prevents the model from learning higher-order features of the graph structure resulting in poor prediction performance, a vulnerability detection method based on deep graph convolutional networks and attention mechanism, PSG-GCNIIAT, is proposed. PSG fuses order relational graphs on the basis of program dependency graphs so that code statements have the ability to sense their contextual information, and generates embedding vectors of code lines by abstracting syntax trees to achieve deep structure feature extraction of graph nodes. GCNIIAT uses a deep graph convolutional network, GCNII, combined with a graph attention mechanism to more effectively identify graph structure features of program slices associated with vulnerabilities. The experimental results show that the vulnerability detection model PSG-GCNIIAT has obvious advantages over VulDeePecker, GCN and GGNN in accuracy and F value, and it can effectively improve the performance of program vulnerability detection.

Key words: program vulnerability, graph attention, deep graph convolutional network, graph structural features

肖鹏, 张旭升, 杨丰玉, 郑巍. 基于深层图卷积网络与注意力的漏洞检测方法[J]. 计算机工程与应用, 2024, 60(3): 292-298.

XIAO Peng, ZHANG Xusheng, YANG Fengyu, ZHENG Wei. Vulnerability Detection Based on Deep Graph Convolutional Network and Attention Mechanism[J]. Computer Engineering and Applications, 2024, 60(3): 292-298.

参考文献

[1] 李舟军, 张俊贤, 廖湘科, 等.软件安全漏洞检测技术[J]. 计算机学报, 2015, 38(4): 717-732.
LI Z J, ZHANG J X, LIAO X K, et al. Survey of software vulnerability detection techniques[J]. Chinese Journal of Computers, 2015, 38(4): 717-732.
[2] JING X Y, WU F, DONG X W, et al. An improved SDA based defect prediction framework for both within-project andcross-project class-imbalance problems[J]. IEEE Transactions on Software Engineering, 2017, 43(4): 321-339.
[3] NAGAPPAN N, ZIMMERMANN T, WILLIAMS L, et al. Searching for a needle in a haystack: predicting security vulnerabilities for windows vista[C]//Proceedings of the Third International Conference on Software Testing, Verification and Validation, 2010: 421-428.
[4] YANG X, LO D, XIA X, et al. Deep learning for just-in-time defect prediction[C]//Proceedings of the IEEE International Conference on Software Quality, 2015:17-26.
[5] LIN G, ZHANG J, LUO W, et al. POSTER: vulnerability discovery with function representation learning from unlabeled projects[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017: 2539-2541.
[6] ZOU D, WANG S, XU S, et al. μVulDeePecker: a deep learning-based system for multiclass vulnerability detection[J]. IEEE Transactions on Dependable and Secure Computing, 2021, 18(5): 2224-2236.
[7] LI Z, ZOU D, XU S, et al. SySeVR: a framework for using deep learning to detect software vulnerabilities[J]. IEEE Transactions on Dependable and Secure Computing, 2022, 19(4): 2244-2258.
[8] FAN G, DIAO X, YU H, et al. Software defect prediction via attention-based recurrent neural network[J]. Scientific Programming, 2019: 6230953.
[9] RAY B, HELLENDOORN V J, GODHANE S, et al. On the “naturalness” of buggy code[C]//2016 IEEE/ACM 38th International Conference on Software Engineering, 2016: 428-439.
[10] CHENG X, WANG H, HUA J, et al. Static detection of control-flow-related vulnerabilities using graph embedding[C]//2019 24th International Conference on Engineering of Complex Computer Systems, 2019: 41-50.
[11] CAO S, SUN X, BO L, et al. MVD: memory-related vulnerability detection based on flow-sensitive graph neural networks[C]//Proceedings of the 44th International Conference on Software Engineering, 2022: 1456-1468.
[12] SIKIC L, KURDIJA A S, VLADIMIR K, et al. Graph neural network for source code defect prediction[J]. IEEE Access, 2022, 10:10402.
[13] XU J, WANG F, AI J. Defect prediction with semantics and context features of codes based on graph representation learning[J]. IEEE Transactions on Reliability, 2021, 70(2): 613-25.
[14] 段旭, 吴敬征, 罗天悦, 等.基于代码属性图及注意力双向 LSTM 的漏洞挖掘方法[J].软件学报, 2020, 31(11): 3404-3420.
DUAN X, WU J Z, LUO T Y, et al. Vulnerability mining method based on code property graph and attention BiLSTM[J]. Journal of Software, 2020, 31(11): 3404-3420.
[15] 赵波, 上官晨晗, 彭小燕, 等.基于语义感知图神经网络的智能合约字节码漏洞检测方法[J].工程科学与技术, 2022, 54(2): 49-55.
ZHAO B, SHANGGUAN C H, PENG X Y, et al. Semantic-aware graph neural network for smart contract byte code vulnerability detection[J].Advanced Engineering Sciences,2022, 54(2): 49-55.
[16] WEISER M. Program slicing[C]//Proceedings of the 5th International Conference on Software Engineering, 1981: 439-449.
[17] SCARSELLI F, GORI M, TSOI A C, et al. The graph neural network model[J]. IEEE Transactions on Neural Networks, 2009, 20(1): 61-80.
[18] GORI M, MONFARDINI G, SCARSELLI F. A new model for learning in graph domains[C]//Proceedings of the 2005 IEEE International Joint Conference on Neural Networks, 2005: 729-734.
[19] KIPF T N, WELLING M. Semi-supervised classification with graph convolutional networks[C]//5th International Conference on Learning Representations, 2017.
[20] VELIKOVI P, CUCURULL G, CASANOVA A, et al. Graph attention networks[C]//International Conference on Learning Representations, 2018.
[21] CHEN M, WEI Z, HUANG Z, et al. Simple and deep graph convolutional networks[C]//Proceedings of the 37th International Conference on Machine Learning, 2020: 1725-1735.
[22] CHENG X, WANG H, HUA J, et al. DeepWukong: statically detecting software vulnerabilities using deep graph neural network[J]. ACM Transactions on Software Engineering and Methodology, 2021, 30(3): 1-33.
[23] NGHI D B, YU Y, JIANG L. InferCode: self-supervised learning of code representations by predicting subtrees[C]//2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), 2021: 1186-1197.
[24] HE K, ZHANG X, REN S, et al. Deep residual learning for image recognition[C]//2016 IEEE Conference on Computer Vision and Pattern Recognition, 2016: 770-778.
[25] CHENG W, SHEN Y, ZHU Y, et al. A neural attention model for urban air quality inference: learning the weights of monitoring stations[C]//Conference on Artificial Intelligence, 2018: 2151-2158.