mVulSniffer：一种多类型源代码漏洞检测方法

张学军; 张奉鹤; 盖继扬; 杜晓刚; 周文杰; 蔡特立; 赵博

doi:10.11959/j.issn.1000-436x.2023184

您当前的位置：

首页 >

文章列表页 >

mVulSniffer：一种多类型源代码漏洞检测方法

学术论文 | 更新时间：2024-06-06

- mVulSniffer：一种多类型源代码漏洞检测方法
- mVulSniffer: a multi-type source code vulnerability sniffer method
- 通信学报 2023年44卷第9期页码：149-160
- 作者机构：
  
  1. 兰州交通大学电子与信息工程学院，甘肃兰州 730070
  2. 陕西科技大学电子信息与人工智能学院，陕西西安 710021
  3. 3.国家电网甘肃省电力公司，甘肃兰州 730000
- 作者简介：
  
  [ "张学军（1977- ），男，宁夏中卫人，博士，兰州交通大学教授，主要研究方向为网络安全、数据隐私与机器学习等" ]
  [ "张奉鹤（1999- ），男，山西大同人，兰州交通大学硕士生，主要研究方向为漏洞挖掘" ]
  [ "盖继扬（1995- ），男，甘肃平凉人，兰州交通大学硕士生，主要研究方向为入侵检测与漏洞挖掘" ]
  [ "杜晓刚（1985- ），男，陕西宝鸡人，博士，陕西科技大学副教授，主要研究方向为机器学习与计算机视觉等" ]
  [ "周文杰（1979- ），女，湖南长沙人，博士，兰州交通大学副教授，主要研究方向为大数据与复杂网络等" ]
  [ "蔡特立（1997- ），男，陕西汉中人，兰州交通大学硕士生，主要研究方向为漏洞挖掘" ]
  [ "赵博（1981- ），男，甘肃平凉人，国家电网甘肃省电力公司高级工程师，主要研究方向为电网安全与软件安全" ]
- 基金信息：
  
  国家自然科学基金资助项目(61762058);甘肃省自然科学基金资助项目(21JR7RA282);甘肃省教育厅产业支撑基金资助项目(2022CYZC-38);国家电网科技基金资助项目(W32KJ2722010);国家电网科技基金资助项目(522722220013)
- DOI：10.11959/j.issn.1000-436x.2023184
  中图分类号： TP311
- 网络出版日期：2023-09，
  
  纸质出版日期：2023-09-25
- 稿件说明：
移动端阅览
张学军, 张奉鹤, 盖继扬, 等. mVulSniffer：一种多类型源代码漏洞检测方法[J]. 通信学报, 2023,44(9):149-160.

Xuejun ZHANG, Fenghe ZHANG, Jiyang GAI, et al. mVulSniffer: a multi-type source code vulnerability sniffer method[J]. Journal on communications, 2023, 44(9): 149-160.
张学军, 张奉鹤, 盖继扬, 等. mVulSniffer：一种多类型源代码漏洞检测方法[J]. 通信学报, 2023,44(9):149-160. DOI： 10.11959/j.issn.1000-436x.2023184.

Xuejun ZHANG, Fenghe ZHANG, Jiyang GAI, et al. mVulSniffer: a multi-type source code vulnerability sniffer method[J]. Journal on communications, 2023, 44(9): 149-160. DOI： 10.11959/j.issn.1000-436x.2023184.

摘要

针对现有基于深度学习的源代码漏洞检测方法使用的代码切片不能全面覆盖漏洞类间细微差异特征，且单一深度学习检测模型对跨文件、跨函数代码语句间较长的上下文依赖信息学习能力不足的问题，提出一种多类型源代码漏洞检测方法。首先，基于程序依赖图中的控制依赖和数据依赖信息，抽取包含可区分漏洞类型的细粒度两级代码切片。其次，将两级切片转化为初始表示向量。最后，构建适用于两级代码切片的深度学习漏洞检测融合模型，实现对多类型源代码漏洞的准确检测。在多个合成数据集及2个真实数据上的实验结果表明，所提方法的检测效果优于现有的多类型源代码漏洞检测方法。

Abstract

Given the problem that the code slice used by existing deep learning-based vulnerability sniffer methods could not comprehensively encompass the subtle characteristics between vulnerability classes

and a single deep learning sniffer model had insufficient ability to learn long context-dependent information between cross-file and cross-function code statements

a multi-type source code vulnerability sniffer method was proposed.Firstly

fine-grained two-level slices containing the types of vulnerabilities were extracted based on the control dependency and data dependency information in program dependency graph.Secondly

the two-level slices were transformed into initial feature vector.Finally

a fusion model of deep learning vulnerability sniffer suitable for two-level slices was constructed to achieve accurate vulnerability detection of multi-type source code.The experimental results on multiple synthetic datasets and two real datasets show that the proposed method outperforms the existing multi-type source code vulnerability sniffer methods.

关键词

Keywords

references

刘剑 , 苏璞睿 , 杨珉 , 等 . 软件与网络安全研究综述 [J ] . 软件学报 , 2018 , 29 ( 1 ): 42 - 68 .

LIU J , SU P R , YANG M , et al . Software and cyber security-a survey [J ] . Journal of Software , 2018 , 29 ( 1 ): 42 - 68 .

吴世忠 . 信息安全漏洞分析回顾与展望 [J ] . 清华大学学报(自然科学版) , 2009 , 49 ( S2 ): 2065 - 2072 .

WU S . Review and outlook of information security vulnerability analysis [J ] . Journal of Tsinghua University (Science and Technology) , 2009 , 49 ( S2 ): 2065 - 2072 .

吴世忠 , 郭涛 , 董国伟 , 等 . 软件漏洞分析技术进展 [J ] . 清华大学学报(自然科学版) , 2012 , 52 ( 10 ): 1309 - 1319 .

WU S Z , GUO T , DONG G W , et al . Software vulnerability analyses:a road map [J ] . Journal of Tsinghua University (Science and Technology) , 2012 , 52 ( 10 ): 1309 - 1319 .

BROOKS T N . Survey of automated vulnerability detection and exploit generation techniques in cyber reasoning systems [C ] // Proceed ings of the Science and Information Conference . Berlin:Springer , 2018 : 1083 - 1102 .

BÖHME M , PHAM V T , ROYCHOUDHURY A . Coverage-based greybox fuzzing as Markov chain [J ] . IEEE Transactions on Software Engineering , 2017 , 45 ( 5 ): 489 - 506 .

STEPHENS N , GROSEN J , SALLS C , et al . Driller:augmenting fuzzing through selective symbolic execution [C ] // Proceedings of the Network and Distributed System Security Symposium . Piscataway:IEEE Press , 2016 , 16 ( 2016 ): 1 - 16 .

邹权臣 , 张涛 , 吴润浦 , 等 . 从自动化到智能化:软件漏洞挖掘技术进展 [J ] . 清华大学学报(自然科学版) , 2018 , 58 ( 12 ): 1079 - 1094 .

ZOU Q C , ZHANG T , WU R P , et al . From automation to intelligence:survey of research on vulnerability discovery techniques [J ] . Journal of Tsinghua University , 2018 , 58 ( 12 ): 1079 - 1094 .

李韵 , 黄辰林 , 王中锋 , 等 . 基于机器学习的软件漏洞挖掘方法综述 [J ] . 软件学报 , 2020 , 31 ( 7 ): 2040 - 2061 .

LI Y , HUANG C L , WANG Z F , et al . Survey of software vulnerability mining methods based on machine learning [J ] . Journal of Software , 2020 , 31 ( 7 ): 2040 - 2061 .

王雅文 , 姚欣洪 , 宫云战 , 等 . 一种基于代码静态分析的缓冲区溢出检测算法 [J ] . 计算机研究与发展 , 2012 , 49 ( 4 ): 839 - 845 .

WANG Y W , YAO X H , GONG Y Z , et al . A buffer overflow detection algorithm based on static analysis of code [J ] . Journal of Computer Research and Development , 2012 , 49 ( 4 ): 839 - 845 .

段旭 , 吴敬征 , 罗天悦 , 等 . 基于代码属性图及注意力双向 LSTM的漏洞挖掘方法 [J ] . 软件学报 , 2020 , 31 ( 11 ): 3404 - 3420 .

DUAN X , WU J Z , LUO T Y , et al . Vulnerability mining method based on code property graph and attention BiLSTM [J ] . Journal of Software , 2020 , 31 ( 11 ): 3404 - 3420 .

YAMAGUCHI F , LINDNER F , RIECK K . Vulnerability extrapolation:assisted discovery of vulnerabilities using machine learning [C ] // Proceedings of the 5th USENIX Conference on Offensive Technologies . Berkeley:USENIX Association , 2011 : 118 - 127 .

PARK J , SHIN J , CHOI B . Detection of vulnerabilities by incorrect use of variable using machine learning [J ] . Electronics , 2023 , 12 ( 5 ): 1197 - 1212 .

RUSSELL R , KIM L , HAMILTON L , et al . Automated vulnerability detection in source code using deep representation learning [C ] // Proceedings of the 17th IEEE International Conference on Machine Learning and Applications . Piscataway:IEEE Press , 2018 : 757 - 762 .

WANG S , LIU T Y , TAN L . Automatically learning semantic features for defect prediction [C ] // Proceedings of the 2016 IEEE/ACM 38th International Conference on Software Engineering . Piscataway:IEEE Press , 2016 : 297 - 308 .

LI J , HE P J , ZHU J M , et al . Software defect prediction via convolutional neural network [C ] // Proceedings of the 2017 IEEE International Conference on Software Quality,Reliability and Security . Piscataway:IEEE Press , 2017 : 318 - 328 .

DAM H K , PHAM T , NG S W , et al . A deep tree-based model for software defect prediction [J ] . arXiv Preprint,arXiv:1802.00921 , 2018 .

KIM J , HUBCZENKO D , MONTAGUE P . Towards attention based vulnerability discovery using source code representation [C ] // Proceedings of the International Conference on Artificial Neural Networks . Berlin:Springer , 2019 : 731 - 746 .

HARER J A , KIM L Y , RUSSELL R L , et al . Automated software vulnerability detection with machine learning [J ] . arXiv Preprint,arXiv:1803.04497 , 2018 .

DUAN X , WU J , JI S , et al . VulSniper:focus your attention to shoot fine-grained vulnerabilities [C ] // Proceedings of the 28th International Joint Conference on Artificial Intelligence . Menlo Park:AAAI Press , 2019 : 4665 - 4671 .

ZHOU Y , LIU S , SIOW J , et al . Devign:effective vulnerability identification by learning comprehensive program semantics via graph neural networks [J ] . Advances in Neural Information Processing Systems , 2019 , 32 : 10197 - 10207 .

CAO S , SUN X , BO L , et al . BGNN4VD:constructing bidirectional graph neural-network for vulnerability detection [J ] . Information and Software Technology , 2021 , 136 : 106576 - 106587 .

FAN Y H , WAN C H , FU C , et al . VDoTR:vulnerability detection based on tensor representation of comprehensive code graphs [J ] . Computers ＆ Security , 2023 , 130 : 103247 - 103259 .

CHANDRA T , SEUNG I J , MUHAMMAD E A , et al . Transformer-based language models for software vulnerability detection [C ] // Proceedings of the 38th Annual Computer Security Applications Conference . New York:ACM Press , 2022 : 481 - 496 .

LI Z , ZOU D Q , XU S H , et al . VulDeePecker:a deep learning-based system for vulnerability detection [J ] . arXiv Preprint,arXiv:1801.01681 , 2018 .

LI Z , ZOU D Q , XU S H , et al . SySeVR:a framework for using deep learning to detect software vulnerabilities [J ] . IEEE Transactions on Dependable and Secure Computing , 2022 , 19 ( 4 ): 2244 - 2258 .

杨宏宇 , 杨海云 , 张良 , 等 . 基于特征依赖图的源代码漏洞检测方法 [J ] . 通信学报 , 2023 , 44 ( 1 ): 103 - 117 .

YANG H Y , YANG H Y , ZHANG L , et al . Feature dependence graph based source code loophole detection method [J ] . Journal on Communications , 2023 , 44 ( 1 ): 103 - 117 .

胡雨涛 , 王溯远 , 吴月明 , 等 . 基于图神经网络的切片级漏洞检测及解释方法 [J ] . 软件学报 , 2023 , 34 ( 6 ): 2543 - 2561 .

HU Y T , WANG S Y , WU Y M , et al . Slice-level vulnerability detection and interpretation method based on graph neural network [J ] . Journal of Software , 2023 , 34 ( 6 ): 2543 - 2561 .

ZOU D Q , WANG S J , XU S H , et al . μVulDeePecker:a deep learning-based system for multiclass vulnerability detection [J ] . IEEE Transactions on Dependable and Secure Computing , 2021 , 18 ( 5 ): 2224 - 2236 .

AGRAWAL A , MENZIES T . Is “better data” better than “better data miners”? on the benefits of tuning smote for defect prediction [C ] // Proceedings of the 40th International Joint Conference on Software Engineering . New York:ACM Press , 2018 : 1050 - 1061 .

FENG Z Y , GUO D Y , TANG D Y , et al . CodeBERT:a pre-trained model for programming and natural languages [C ] // Proceedings of Findings of the Association for Computational Linguistics . Stroudsburg:ACL Press , 2020 : 1536 - 1547 .

邓枭 , 叶蔚 , 谢睿 , 等 . 基于深度学习的源代码缺陷检测研究综述 [J ] . 软件学报 , 2023 , 34 ( 2 ): 625 - 654 .

DENG X , YE W , XIE R , et al . Survey of source code bug detection based on deep learning [J ] . Journal of Software , 2023 , 34 ( 2 ): 625 - 654 .

CHAKRABORTY S , KRISHNA R , DING Y , et al . Deep learning based vulnerability detection:are we there yet? [J ] . IEEE Transactions on Software Engineering , 2022 , 48 ( 9 ): 3280 - 3296 .

浏览量

468

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

超大规模太赫兹系统深度学习信道估计算法

基于深度学习的正交频分复用系统信道估计

融合多尺度深度卷积的轻量级Transformer交通场景语义分割算法

基于机器学习的加密流量分类研究综述

基于SVM-RFE与Transformer-TBAM的高校邮件分析研究