采用双向GRU的软件源代码漏洞检测方法  

作　　者：赵墨刊 李冬辉 ZHAO Mokan;LI Donghui(School of Electrical Automation and Information Engineering,Tianjin University,Tianjin 300072,China)

机构地区：[1]天津大学电气自动化与信息工程学院,天津300072

出　　处：《现代电子技术》2022年第18期57-62,共6页Modern Electronics Technique

基　　金：2019年工业互联网创新发展工程—工业软件源代码安全检测工具(TC190H46G)。

摘　　要：针对软件源代码漏洞检测误报率和漏报率高的问题,文中提出一种基于双向门控递归单元(BGRU)的软件源代码漏洞检测方法。首先,采用基于Token的方法和词法分析,将软件源代码的字符流转换成等价Token序列,并将其表征为one-hot向量;然后,使用Word2vec模型将其转换为分布式向量并输入到BGRU神经网络中,通过BGRU自动从正反两个方向提取软件源代码中的高维非线性特征。这样可以充分利用软件源代码中的特征信息对软件源代码进行表征建模,从而有效地降低软件源代码漏洞检测的误报率和漏报率。再以白酒质量监控系统软件源代码为测试对象,针对软件源代码的10种开放式Web应用程序安全项目(OWASP)漏洞进行检测。最后,将所提方法与双向循环神经网络和卷积神经网络两种深度学习方法进行比较。实验结果表明,在检测软件源代码漏洞时,其他两种方法出现较大的误报率或漏报率,而所提方法具有较低的漏洞检测误报率和漏报率,说明所提出的BGRU检测方法能够有效降低软件源代码漏洞检测的误报率和漏报率。Since there are the problems of high false alarm rate and missing alarm rate in the vulnerability detection of the software source code,a method of software source code vulnerability detection based on bidirectional gated recurrent unit(BGRU)is proposed. The Token based method and lexical analysis are used to convert the character flow of the software source code into an equivalent Token sequence,and then represent it as a one-hot vector. The Word2vec model is used to transform it into a distributed vector and input it into the BGRU neural network,and the high-dimensional nonlinear features are extracted from software source code in both positive and negative directions through BGRU. Therefore,the characteristic information in the software source code can be used to conduct its characterization modeling,so as to reduce the false alarm rate and missing alarm rate of vulnerability detection of the software source code. Taking the software source code in the liquor quality control system as the testing object,the vulnerability detection of 10 kinds of open Web application security projects(OWASPs)was performed. The proposed method is compared with the bidirectional recurrent neural network and convolutional neural network.The experimental results show that the false alarm rate and missing alarm rate of the proposed method are lower than those of other two methods when detecting the software source code. It verifies that the proposed BGRU detection method can reduce the false alarm rate and missing alarm rate in vulnerability detection of the software source code.

关 键 词：软件源代码 双向门控递归单元 漏洞检测 网络安全 特征提取 表征建模 

分 类 号：TN911.23-34[电子电信—通信与信息系统] TP311[电子电信—信息与通信工程]