网络与信息安全学报2023,Vol.9Issue(6):86-101,16.DOI:10.11959/j.issn.2096-109x.2023085
基于程序过程间语义优化的深度学习漏洞检测方法
Deep learning vulnerability detection method based on optimized inter-procedural semantics of programs
摘要
Abstract
In recent years,software vulnerabilities have been causing a multitude of security incidents,and the early discovery and patching of vulnerabilities can effectively reduce losses.Traditional rule-based vulnerability detection methods,relying upon rules defined by experts,suffer from a high false negative rate.Deep learning-based methods have the capability to automatically learn potential features of vulnerable programs.However,as software complexity increases,the precision of these methods decreases.On one hand,current methods mostly operate at the function level,thus unable to handle inter-procedural vulnerability samples.On the other hand,models such as BGRU and BLSTM exhibit performance degradation when confronted with long input sequences,and are not adept at capturing long-term dependencies in program statements.To address the aforementioned issues,the existing program slicing method has been optimized,enabling a comprehensive contextual analysis of vulnerabilities triggered across functions through the combination of intra-procedural and inter-procedural slicing.This facilitated the capture of the complete causal relationship of vulnerability triggers.Furthermore,a vulnerability detection task was conducted using a Transformer neural network architecture equipped with a multi-head attention mechanism.This architecture collectively focused on information from different representation subspaces,allowing for the extraction of deep features from nodes.Unlike recurrent neural networks,this approach resolved the issue of information decay and effectively learned the syntax and semantic information of the source program.Experimental results demonstrate that this method achieves an F1 score of 73.4%on a real software dataset.Compared to the comparative methods,it shows an improvement of 13.6%to 40.8%.Furthermore,it successfully detects several vulnerabilities in open-source software,confirming its effectiveness and applicability.关键词
漏洞检测/程序切片/深度学习/注意力机制Key words
vulnerability detection/program slice/deep learning/attention mechanism分类
信息技术与安全科学引用本文复制引用
李妍,羌卫中,李珍,邹德清,金海..基于程序过程间语义优化的深度学习漏洞检测方法[J].网络与信息安全学报,2023,9(6):86-101,16.基金项目
国家自然科学基金(62272187) (62272187)
国家通用技术基础研究联合基金(U1936211)The National Natural Science Foundation of China(62272187),The Joint Funds of the National Natural Science Foundation of China(U1936211) (U1936211)
