基于关系图卷积网络的源代码漏洞检测  被引量：15

作　　者：文敏 王荣存 姜淑娟[1,2] WEN Min;WANG Rongcun;JIANG Shujuan(Engineering Research Center of Mine Digitalization,Ministry of Education(China University of Mining and Technology),Xuzhou Jiangsu 221116,China;School of Computer Science and Technology,China University of Mining and Technology,Xuzhou Jiangsu 221116,China;Key Laboratory of Safety-Critical Software,Ministry of Industry and Information Technology(Nanjing University of Aeronautics and Astronautics),Nanjing Jiangsu 211106,China)

机构地区：[1]矿山数字化教育部工程研究中心(中国矿业大学),江苏徐州221116 [2]中国矿业大学计算机科学与技术学院,江苏徐州221116 [3]高安全系统的软件开发与验证技术工业和信息化部重点实验室(南京航空航天大学),南京211106

出　　处：《计算机应用》2022年第6期1814-1821,共8页journal of Computer Applications

基　　金：国家自然科学基金资助项目(61673384,618761860);江苏省自然科学基金资助项目(BK20181353);高安全系统的软件开发与验证技术工业和信息化部重点实验室开放基金资助项目(1015-56XCA18164)。

摘　　要：软件安全的根源在于软件开发人员开发的源代码,但随着软件规模和复杂性不断提高,仅靠人工检测漏洞代价高昂且难以扩展,而现有的代码分析工具有较高的误报率与漏报率。为此,提出一种基于关系图卷积网络(RGCN)的自动化漏洞检测方法以进一步提高漏洞检测的精度。首先将程序源代码转换为包含语法、语义特征信息的CPG;然后使用RGCN对图结构进行表示学习;最后训练神经网络模型预测程序源代码中的漏洞。为验证所提方法的有效性,在真实的软件漏洞样本上开展了实验验证,结果表明所提方法的漏洞检测结果的召回率和F1值分别达到了80.27%和63.78%。与Flawfinder、VulDeepecker和基于图卷积网络(GCN)的同类方法相比,所提方法的F1值分别提高了182%、12%和55%,可见所提方法能有效提高漏洞检测能力。The root cause of software security lies in the source code developed by software developers,but with the continues increasing size and complexity of software,it is costly and difficult to perform vulnerability detection only manually,while the existing code analysis tools have high false positive rate and false negative rate.Therefore,an automatic vulnerability detection method based on Relational Graph Convolution Network(RGCN)was proposed to further improve the accuracy of vulnerability detection.Firstly,the program source code was transformed into CPG containing syntax and semantic information.Then,representation learning was performed to the graph structure by RGCN.Finally,a neural network model was trained to predict the vulnerabilities in the program source code.To verify the effectiveness of the proposed method,an experimental validation was conducted on the real-world software vulnerability samples,and the results show that the recall and F1-measure of vulnerability detection results of the proposed method reach 80.27%and 63.78%respectively.Compared with Flawfinder,VulDeepecker and similar method based on Graph Convolution Network(GCN),the proposed method has the F1-measure increased by 182%,12%and 55%respectively.It can be seen that the proposed method can effectively improve the vulnerability detection capability.

关 键 词：漏洞检测 代码属性图 关系图卷积网络 深度学习 预测模型 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]