Skip to main content
SpringerLink
Log in

ACGVD: Vulnerability Detection Based on Comprehensive Graph via Graph Neural Network with Attention

  • Conference paper
  • First Online:
Information and Communications Security (ICICS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12918))

Included in the following conference series:

Abstract

Vulnerability is one of the main causes of network intrusion. An effective way to mitigate security threats is to find and repair vulnerabilities as soon as possible. Traditional vulnerability detection methods are limited by expert knowledge. Existing deep learning-based methods neglect the connection between semantic graphs and cannot effectively deal with the structure information. Graph neural network brings new insight into vulnerability detection. However, benign nodes on the graph account for a large proportion, resulting in vulnerability information could be disturbed by them. To address the limitations of existing vulnerability detection approaches, in this paper, we propose ACGVD, a vulnerability detection method by constructing a graph network with attention. We first combine multiple semantic graphs together to form a more comprehensive graph. We then adopt the Graph neural network instead of the sequence-based model to automatically analyze the comprehensive graph. In order to solve the problem that the vulnerability information could be covered up, we add a double-level attention mechanism to the graph model. We also add a novel classification layer to extract the high-level features of the code. To make the experiment more realistic, the model is trained over the latest published real-world dataset. The experiment results demonstrate that compared with state-of-the-art methods, our model ACGVD achieves 5.01%, 13.89%, and 8.27% improvement in accuracy, recall and F1-score, respectively.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 89.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 119.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://joern.readthedocs.io/en/latest/index.html.

  2. 2.

    http://radimrehurek.com/gensim/models/word2vec.html.

References

  1. Flawfinder. http://www.dwheeler.com/flawfinder

  2. Infer static analyzer. https://fbinfer.com/

  3. National vulnerability database. https://nvd.nist.gov

  4. National vulnerability database (2019). https://nvd.nist.gov

  5. Record-breaking number of vulnerabilities disclosed in 2017: Report (2017). https://www.securityweek.com/record-breaking-number-vulnerabilities-disclosed-2017-report

  6. Rough audit tool for security. https://code.google.com/archive/p/rough-auditing-tool-for-security/

  7. Software assurance reference dataset. https://samate.nist.gov/SRD/index.php

  8. Ban, X., Liu, S., Chen, C., Chua, C.: A performance evaluation of deep-learnt features for software vulnerability detection. Concurrency Comput. Pract. Exp. 31(19), e5103 (2019)

    Article  Google Scholar 

  9. Cao, K., Jing, H.E., Fan, W.Q., Huang, W.: PHP vulnerability detection based on stain analysis. J. Commun. Univ. China (Sci. Technol.) (2019)

    Google Scholar 

  10. Chakraborty, S., Krishna, R., Ding, Y., Ray, B.: Deep learning based vulnerability detection: are we there yet? arXiv preprint arXiv:2009.07235 (2020)

  11. Chen, Z., Zou, D., Li, Z., Jin, H.: Intelligent vulnerability detection system based on abstract syntax tree. J. Cyber Secur. 4, 1–13 (2020)

    Article  Google Scholar 

  12. Choi, M.j., Jeong, S., Oh, H., Choo, J.: End-to-end prediction of buffer overruns from raw source code via neural memory networks. arXiv preprint arXiv:1703.02458 (2017)

  13. Dai, H., Murphy, C., Kaiser, G.: Configuration fuzzing for software vulnerability detection. In: 2010 International Conference on Availability, Reliability and Security, pp. 525–530. IEEE (2010)

    Google Scholar 

  14. Dam, H.K., Tran, T., Pham, T., Ng, S.W., Grundy, J., Ghose, A.: Automatic feature learning for vulnerability prediction. arXiv preprint arXiv:1708.02368 (2017)

  15. Ghaffarian, S.M., Shahriari, H.R.: Software vulnerability analysis and discovery using machine-learning and data-mining techniques: a survey. ACM Comput. Surv. (CSUR) 50(4), 1–36 (2017)

    Article  Google Scholar 

  16. Guo, J., Wang, Z., Li, H., Xue, Y.: Detecting vulnerability in source code using CNN and LSTM network (2021)

    Google Scholar 

  17. Harer, J.A., et al.: Automated software vulnerability detection with machine learning. arXiv preprint arXiv:1803.04497 (2018)

  18. Lee, M., Cho, S., Jang, C., Park, H., Choi, E.: A rule-based security auditing tool for software vulnerability detection. In: 2006 International Conference on Hybrid Information Technology, vol. 2, pp. 505–512. IEEE (2006)

    Google Scholar 

  19. Li, H., Kim, T., Baterdene, M., Lee, H.: Software vulnerability detection using backward trace analysis and symbolic execution. Int. J. Comput. Biol. Drug Des. 6(6), 255–62 (2013)

    Google Scholar 

  20. Li, Z., Zou, D., Xu, S., Chen, Z., Zhu, Y., Jin, H.: Vuldeelocator: a deep learning-based fine-grained vulnerability detector. IEEE Trans. Dependable Secure Comput. (2021)

    Google Scholar 

  21. Li, Z., Zou, D., Xu, S., Jin, H., Zhu, Y., Chen, Z.: SySeVR: a framework for using deep learning to detect software vulnerabilities. IEEE Trans. Dependable Secure Comput. (2021)

    Google Scholar 

  22. Li, Z., et al.: Vuldeepecker: a deep learning-based system for vulnerability detection. arXiv preprint arXiv:1801.01681 (2018)

  23. Lin, G., Wen, S., Han, Q.L., Zhang, J., Xiang, Y.: Software vulnerability detection using deep neural networks: a survey. Proc. IEEE 108(10), 1825–1848 (2020)

    Article  Google Scholar 

  24. Lin, G., Zhang, J., Luo, W., Pan, L., Xiang, Y.: Poster: vulnerability discovery with function representation learning from unlabeled projects. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2539–2541 (2017)

    Google Scholar 

  25. Lin, G., et al.: Cross-project transfer representation learning for vulnerable function discovery. IEEE Trans. Industr. Inf. 14(7), 3289–3297 (2018)

    Article  Google Scholar 

  26. Ndichu, S., Kim, S., Ozawa, S., Misu, T., Makishima, K.: A machine learning approach to detection of Javascript-based attacks using AST features and paragraph vectors. Appl. Soft Comput. 84, 105721 (2019)

    Article  Google Scholar 

  27. Newsome, J.: Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. Chin. J. Eng. Math. 29(5), 720–724 (2005)

    Google Scholar 

  28. Pewny, J., Schuster, F., Bernhard, L., Holz, T., Rossow, C.: Leveraging semantic signatures for bug search in binary programs. In: Proceedings of the 30th Annual Computer Security Applications Conference, pp. 406–415 (2014)

    Google Scholar 

  29. Russell, R., et al.: Automated vulnerability detection in source code using deep representation learning. In: 2018 17th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 757–762. IEEE (2018)

    Google Scholar 

  30. Scandariato, R., Walden, J., Hovsepyan, A., Joosen, W.: Predicting vulnerable software components via text mining. IEEE Trans. Softw. Eng. 40(10), 993–1006 (2014)

    Article  Google Scholar 

  31. Semasaba, A.O.A., Zheng, W., Wu, X., Agyemang, S.A.: Literature survey of deep learning-based vulnerability analysis on source code. IET Softw. 14, 654–664 (2020)

    Article  Google Scholar 

  32. Veličković, P., Cucurull, G., Casanova, A., Romero, A., Lio, P., Bengio, Y.: Graph attention networks. arXiv preprint arXiv:1710.10903 (2017)

  33. Votipka, D., Stevens, R., Redmiles, E., Hu, J., Mazurek, M.L.: Hackers vs. testers: a comparison of software vulnerability discovery processes. In: IEEE Symposium on Security and Privacy (2018)

    Google Scholar 

  34. Wang, T., Wei, T., Gu, G., Zou, W.: TaintScope: a checksum-aware directed fuzzing tool for automatic software vulnerability detection. In: 2010 IEEE Symposium on Security and Privacy, pp. 497–512. IEEE (2010)

    Google Scholar 

  35. Wang, X., et al.: Heterogeneous graph attention network. In: The World Wide Web Conference, pp. 2022–2032 (2019)

    Google Scholar 

  36. Zhou, Y., Liu, S., Siow, J., Du, X., Liu, Y.: Devign: effective vulnerability identification by learning comprehensive program semantics via graph neural networks. arXiv preprint arXiv:1909.03496 (2019)

Download references

Acknowledgement

This work is supported by the Strategic Priority Research Program of Chinese Academy of Sciences, Grant No. XDC02010300.

Author information

Authors and Affiliations

  1. Institute of Information Engineering, Chinese Academy of Sciences, Beijing, China

    Min Li, Chunfang Li, Shuailou Li, Yanna Wu, Boyang Zhang & Yu Wen

  2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China

    Min Li, Chunfang Li & Shuailou Li

Authors
  1. Min Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chunfang Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Shuailou Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Yanna Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Boyang Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Yu Wen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yu Wen .

Editor information

Editors and Affiliations

  1. Singapore Management University, Singapore, Singapore

    Debin Gao

  2. Tsinghua University, Beijing, China

    Qi Li

  3. Xi'an Jiaotong University, Xi'an, China

    Xiaohong Guan

  4. Chongqing University, Chongqing, China

    Xiaofeng Liao

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Li, M., Li, C., Li, S., Wu, Y., Zhang, B., Wen, Y. (2021). ACGVD: Vulnerability Detection Based on Comprehensive Graph via Graph Neural Network with Attention. In: Gao, D., Li, Q., Guan, X., Liao, X. (eds) Information and Communications Security. ICICS 2021. Lecture Notes in Computer Science(), vol 12918. Springer, Cham. https://doi.org/10.1007/978-3-030-86890-1_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-86890-1_14

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-86889-5

  • Online ISBN: 978-3-030-86890-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation