A dual graph neural networks model using sequence embedding as graph nodes for vulnerability detection

IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS Information and Software Technology Pub Date : 2024-09-07 DOI:10.1016/j.infsof.2024.107581
Miaogui Ling, Mingwei Tang, Deng Bian, Shixuan Lv, Qi Tang
{"title":"A dual graph neural networks model using sequence embedding as graph nodes for vulnerability detection","authors":"Miaogui Ling,&nbsp;Mingwei Tang,&nbsp;Deng Bian,&nbsp;Shixuan Lv,&nbsp;Qi Tang","doi":"10.1016/j.infsof.2024.107581","DOIUrl":null,"url":null,"abstract":"<div><h3>Context:</h3><p>Detecting critical to ensure software system security. The traditional static vulnerability detection methods are limited by staff expertise and perform poorly with today’s increasingly complex software systems. Researchers have successfully applied the techniques used in NLP to vulnerability detection as deep learning has developed. The existing deep learning-based vulnerability detection models can be divided into sequence-based and graph-based categories. Sequence-based embedding models cannot use structured information embedded in the code, and graph-based embedding models lack effective node representations.</p></div><div><h3>Objective:</h3><p>To solve these problems, we propose a deep learning-based method, DGVD (Double Graph Neural Network for Vulnerability Detection).</p></div><div><h3>Methods:</h3><p>We use the sequential neural network approach to extract local semantic features of the code as nodes embedded in the control flow graph. First, we propose a dual graph neural network module (DualGNN) that consists of GCN and GAT. The altered module utilizes two different graph neural networks to obtain the global structural information of the control flow and the relationship between the nodes and fuses the two. Second, we propose a convolution-based feature enhancement module (TC-FE) that uses different convolution kernels of different sizes to capture information at different scales so that subsequent readout layers can better aggregate node information.</p></div><div><h3>Results:</h3><p>Experiments demonstrate that DGVD outperforms existing models, obtaining 64.23% vulnerability detection accuracy on CodeXGLUE’s real benchmark dataset.</p></div><div><h3>Conclusion:</h3><p>The proposed DGVD achieves better performance than the state-of-the-art DGVD has a more effective source code feature extraction capability on real-world datasets.</p></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"177 ","pages":"Article 107581"},"PeriodicalIF":3.8000,"publicationDate":"2024-09-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0950584924001861/pdfft?md5=450f5d915db5cb174d591dea662c75cd&pid=1-s2.0-S0950584924001861-main.pdf","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Software Technology","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950584924001861","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Context:

Detecting critical to ensure software system security. The traditional static vulnerability detection methods are limited by staff expertise and perform poorly with today’s increasingly complex software systems. Researchers have successfully applied the techniques used in NLP to vulnerability detection as deep learning has developed. The existing deep learning-based vulnerability detection models can be divided into sequence-based and graph-based categories. Sequence-based embedding models cannot use structured information embedded in the code, and graph-based embedding models lack effective node representations.

Objective:

To solve these problems, we propose a deep learning-based method, DGVD (Double Graph Neural Network for Vulnerability Detection).

Methods:

We use the sequential neural network approach to extract local semantic features of the code as nodes embedded in the control flow graph. First, we propose a dual graph neural network module (DualGNN) that consists of GCN and GAT. The altered module utilizes two different graph neural networks to obtain the global structural information of the control flow and the relationship between the nodes and fuses the two. Second, we propose a convolution-based feature enhancement module (TC-FE) that uses different convolution kernels of different sizes to capture information at different scales so that subsequent readout layers can better aggregate node information.

Results:

Experiments demonstrate that DGVD outperforms existing models, obtaining 64.23% vulnerability detection accuracy on CodeXGLUE’s real benchmark dataset.

Conclusion:

The proposed DGVD achieves better performance than the state-of-the-art DGVD has a more effective source code feature extraction capability on real-world datasets.

查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
利用序列嵌入作为图节点进行漏洞检测的双图神经网络模型
背景:检测对确保软件系统安全至关重要。传统的静态漏洞检测方法受到工作人员专业知识的限制,在当今日益复杂的软件系统中表现不佳。随着深度学习的发展,研究人员已成功地将 NLP 技术应用于漏洞检测。现有的基于深度学习的漏洞检测模型可分为基于序列和基于图的两类。基于序列的嵌入模型无法使用代码中嵌入的结构化信息,而基于图的嵌入模型则缺乏有效的节点表示。方法:我们使用序列神经网络方法提取代码的局部语义特征,将其作为节点嵌入控制流图中。首先,我们提出了由 GCN 和 GAT 组成的双图神经网络模块(DualGNN)。改变后的模块利用两种不同的图神经网络获取控制流的全局结构信息和节点之间的关系,并将二者融合。其次,我们提出了基于卷积的特征增强模块(TC-FE),利用不同大小的卷积核捕捉不同尺度的信息,从而使后续读出层能够更好地聚合节点信息。结果:实验证明,DGVD的性能优于现有模型,在CodeXGLUE的真实基准数据集上获得了64.23%的漏洞检测准确率。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
Information and Software Technology
Information and Software Technology 工程技术-计算机:软件工程
CiteScore
9.10
自引率
7.70%
发文量
164
审稿时长
9.6 weeks
期刊介绍: Information and Software Technology is the international archival journal focusing on research and experience that contributes to the improvement of software development practices. The journal''s scope includes methods and techniques to better engineer software and manage its development. Articles submitted for review should have a clear component of software engineering or address ways to improve the engineering and management of software development. Areas covered by the journal include: • Software management, quality and metrics, • Software processes, • Software architecture, modelling, specification, design and programming • Functional and non-functional software requirements • Software testing and verification & validation • Empirical studies of all aspects of engineering and managing software development Short Communications is a new section dedicated to short papers addressing new ideas, controversial opinions, "Negative" results and much more. Read the Guide for authors for more information. The journal encourages and welcomes submissions of systematic literature studies (reviews and maps) within the scope of the journal. Information and Software Technology is the premiere outlet for systematic literature studies in software engineering.
期刊最新文献
Editorial Board A software product line approach for developing hybrid software systems Systematic mapping study on requirements engineering for regulatory compliance of software systems Evaluating the understandability and user acceptance of Attack-Defense Trees: Original experiment and replication Who uses personas in requirements engineering: The practitioners’ perspective
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1