面向软件漏洞检测的改进代码属性图的图神经网络  被引量：2

作　　者：曹炳豪 汪智超 朱二周[1] CAO Binghao;WANG Zhichao;ZHU Erzhou(School of Computer Science and Technology,Anhui University,Hefei 230601,China)

机构地区：[1]安徽大学计算机科学与技术学院,安徽合肥230601

出　　处：《微电子学与计算机》2024年第1期74-82,共9页Microelectronics & Computer

基　　金：安徽省自然科学基金(2008085MF188);安徽省高等学校自然科学研究项目(KJ2021A0041)。

摘　　要：针对当前深度学习软件漏洞检测方法在处理源代码过程中存在的检测粒度粗、语法或语义信息丢失等问题,提出一种基于改进代码属性图的图神经网络软件漏洞检测模型(Vulnerability Detection with Code Property Graphs,VDCPG)。为准确捕获源代码中的语法和语义信息,该模型使用Joern生成目标函数的代码属性图(Code Property Graphs,CPG)。通过在深度优先遍历的基础上动态去除控制流程图或控制依赖图边的CPG优化方法,实现在不降低漏洞检测效果的同时提高检测效率。在word2vec的CBOW(Continuous Bag Of Words)模式下对生成的CPG进行向量化处理,并采用带自注意力机制的图注意力网络(Graph Attention Networks,GAT)来实现软件漏洞的高效与准确检测。通过两个不同规模数据集的测试结果表明,VDCPG的漏洞检测效果相较于当前已有的软件漏洞检测工具、模型均有较大幅度的提升。In view of the problems of coarse detection granularity and loss of syntactic or semantic information in the current deep learning software vulnerability detection methods,Vulnerability Detection with Code Property Graphs(VDCPG)is proposed,a graph neural network software vulnerability model based on the improved Code Property Graphs(CPG).VDCPG uses the Joern to generate the CPG which can accurately capture the syntactic and semantic information of the objective function.Based on the depth-first traversal,a CPG optimization algorithm is proposed to dynamically remove the edges of the control flow graphs or the control dependence graphs,so as to improve the detection efficiency without sacrificing the vulnerability detection effect.The generated CPG is vectorized by the word2vec under the Continuous Bag Of Words(CBOW)mode.The Graph Attention Networks(GAT)with self-attention mechanism is finally used to achieve efficient and accurate detection of software vulnerabilities.The test results of two data sets of different sizes show that the vulnerability detection effect of VDCPG is significantly improved compared with the existing software vulnerability detection tools and models.

关 键 词：软件漏洞检测 代码属性图 深度学习 图神经网络 

分 类 号：TP311[自动化与计算机技术—计算机软件与理论]