VulSPG: Vulnerability detection based on slice property graph representation learning

Zheng, Weining; Jiang, Yuan; Su, Xin

doi:10.48550/arxiv.2109.02527

Cited by 2 publications

(3 citation statements)

References 33 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To optimally represent the characteristics of a node in the entire code attribute graph, it is necessary to map the information of its neighbor nodes to itself. Considering that each neighbor node has different weights for its influence, we use a Graph Attention Network with a multi-head attention mechanism; the aggregation effect of the attention mechanism on node information has been demonstrated in many studies [27], [34], [45], [46], [47], [48]. Besides, the attention mechanism can deal with latent noise features.…”

Section: Graph Feature Extractionmentioning

confidence: 99%

“…Attention-based graph neural network methods are also widely used in vulnerability detection. VulSPG [45] introduced a triple attention mechanism of node attention mechanism, sentence attention mechanism, and subgraph attention mechanism for slice attribute graph to improve the ability of node information aggregation. ACGVD [46] designed a node-level attention mechanism and a pathlevel attention mechanism for data control flow graphs to improve the classification performance.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Vulnerability Detection With Graph Attention Network And Metric Learning

Zhang¹,

Liu²,

Fan³

et al. 2022

Preprint

View full text Add to dashboard Cite

Static code vulnerability detection is a critical topic in software security. Existing software analysis methods have a high rate of false positives and false negatives. Researchers are interested in employing deep learning to discover vulnerabilities automatically, thanks to the recent success of deep learning algorithms in other application domains.This paper aims at the problem of insufficient and effective extraction of syntax and semantics, the issue of data imbalance, and the problem of overlapping feature distributions between vulnerable and non-vulnerable samples. We illustrate how to create models in a more principled way. We build GSM, a systematic vulnerability detection model based on Graph Attention Network, Sampling methods, and Metric Learning, one phase for one problem solution. When compared to the state-of-the-art approaches, our method achieves 11.5%, 12.3%, 12.57%, and 7.90% improvement in Precision, Recall, F1-Score, and AUC, respectively. Finally, based on the methods proposed in each stage of this paper, we put forward directions and suggestions for more efficient vulnerability detection tasks in the following research.

show abstract

Section: Graph Feature Extractionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Vulnerability Detection With Graph Attention Network And Metric Learning

Zhang¹,

Liu²,

Fan³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Many researchers argued that the control and data flows are well-structured which can also reveal useful information for understanding code semantics indicative of vulnerable patterns. Therefore, a number of studies utilize Graph Neural Networks (GNNs) for structural information extraction, including FUNDED [42], Devign [3], VulSPG [43], and Zhuang et al [44]. However, these studies highly depend on code analysis to obtain code graph.…”

Section: Software Vulnerability Detectionmentioning

confidence: 99%

Distilled and Contextualized Neural Models Benchmarked for Vulnerable Function Detection

Lin

Jia

2022

Mathematics

View full text Add to dashboard Cite

Detecting vulnerabilities in programs is an important yet challenging problem in cybersecurity. The recent advancement in techniques of natural language understanding enables the data-driven research on automated code analysis to embrace Pre-trained Contextualized Models (PCMs). These models are pre-trained on the large corpus and can be fine-tuned for various downstream tasks, but their feasibility and effectiveness for software vulnerability detection have not been systematically studied. In this paper, we explore six prevalent PCMs and compare them with three mainstream Non-Contextualized Models (NCMs) in terms of generating effective function-level representations for vulnerability detection. We found that, although the detection performance of PCMs outperformed that of the NCMs, training and fine-tuning PCMs were computationally expensive. The budgets for deployment and inference are also considerable in practice, which may prevent the wide adoption of PCMs in the field of interest. However, we discover that, when the PCMs were compressed using the technique of knowledge distillation, they achieved similar detection performance but with significantly improved efficiency compared with their uncompressed counterparts when using 40,000 synthetic C functions for fine-tuning and approximately 79,200 real-world C functions for training. Among the distilled PCMs, the distilled CodeBERT achieved the most cost-effective performance. Therefore, we proposed a framework encapsulating the Distilled CodeBERT for an end-to-end Vulnerable function Detection (named DistilVD). To examine the performance of the proposed framework in real-world scenarios, DistilVD was tested on four open-source real-world projects with a small amount of training data. Results showed that DistilVD outperformed the five baseline approaches. Further evaluations on multi-class vulnerability detection also confirmed the effectiveness of DistilVD for detecting various vulnerability types.

show abstract

VulSPG: Vulnerability detection based on slice property graph representation learning

Cited by 2 publications

References 33 publications

Vulnerability Detection With Graph Attention Network And Metric Learning

Vulnerability Detection With Graph Attention Network And Metric Learning

Distilled and Contextualized Neural Models Benchmarked for Vulnerable Function Detection

Contact Info

Product

Resources

About