Abstract
Android operating system approximately contains around 93 million lines of code, mainly consisting of C, C++ and Java languages. There is no strict software engineering life-cycle followed during Android software development, and hence the design flaws and vulnerabilities are largely reported. Rising security attacks targeting Android manifests the importance of early detection of vulnerabilities in Android operating system. The existing mechanisms either focus on Android Apps or short code differences of the Android framework, and hence they are less effective for Android operating system. In this work, we extracted all the officially reported publicly accessible Android Java vulnerabilities in application and framework layers from 2015 till June 2021. The extracted vulnerable and corresponding fixed (secure) code are then converted into the graphical form using different intermediate graph representations, and then graph features are extracted. Vectorization techniques are used for converting node features of the graph into numerical formats. A vulnerability detection mechanism based on Graph Neural Network is designed and achieved an F1-score of 0.92. To the best of our knowledge, this will be one of the first works for Android operating system source code vulnerability detection technique exploiting the potential of Graph Neural Networks.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Namrud, Z., Kpodjedo, S., Talhi, C.: AndroVul: a repository for Android security vulnerabilities. In: Proceedings of the 29th Annual International Conference on Computer Science and Software Engineering, pp. 64–71 (2019)
Gao, J., Li, L., Kong, P., Bissyandé, T.F., Klein, J.: Understanding the evolution of android app vulnerabilities. IEEE Trans. Reliab. 212–230 (2019)
Linares-Vásquez, M., Bavota, G., Escobar-Velásquez, C.: An empirical study on android-related vulnerabilities. In: IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 2–13 (2017)
Wu, D., Gao, D., Cheng, E. K., Cao, Y., Jiang, J., Deng, R. H.: Towards understanding Android system vulnerabilities: techniques and insights. In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, pp. 295–306 (2019)
Ghaffarian, S. M., Shahriari, H. R.: Neural software vulnerability analysis using rich intermediate graph representations of programs. In: Information Sciences, pp. 189–207 (2021)
Bilgin, Z., Ersoy, M.A., Soykan, E.U., Tomur, E., Çomak, P., Karaçay, L.: Vulnerability prediction from source code using machine learning. IEEE Access 8, 150672–150684 (2020)
Li, Y., Ma, L., Shen, L., Lv, J., Zhang, P.: Open source software security vulnerability detection based on dynamic behavior features. PloS One 14(8), e0221530 (2019)
Li, X., Wang, L., Xin, Y., Yang, Y., Chen, Y.: Automated vulnerability detection in source code using minimum intermediate representation learning. Appl. Sci. 10(5), 1692 (2020)
Suneja, S., Zheng, Y., Zhuang, Y., Laredo, J., Morari, A.: Learning to map source code to software vulnerability using code-as-a-graph. arXiv preprint arXiv:2006.08614 (2020)
Iadarola, G.: Graph-based classification for detecting instances of bug patterns. Master’s thesis, University of Twente (2018). http://essay.utwente.nl/76802/
Russell, R., et al.: Automated vulnerability detection in source code using deep representation learning. In: 17th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 757–762 (2018)
Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: IEEE Symposium on Security and Privacy, pp. 590–604 (2014)
Google Android Security Bulletin. https://source.android.com/security/bulletin. Accessed 10 July 2021
CVE - Home. https://cve.mitre.org/index.html. Accessed 10 July 2021
NVD - Home. https://nvd.nist.gov/. Accessed 10 July 2021
Liang, H., Sun, L., Wang, M., Yang, Y.: Deep learning with customized abstract syntax tree for bug localization. IEEE Access 7, 116309–116320 (2019)
Gensim. https://radimrehurek.com/gensim/models/doc2vec.html. Accessed 10 July 2021
Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. In: Paul, M., Robinet, B. (eds.) Programming 1984. LNCS, vol. 167, pp. 125–132. Springer, Heidelberg (1984). https://doi.org/10.1007/3-540-12925-1_33
The Code Property Graph. https://plume-oss.github.io/plume-docs/plume-basics/code-property-graph/. Accessed 10 July 2021
Pytorch Geometric. https://pytorch-geometric.readthedocs.io/en/latest/. Accessed 10 July 2021
Schütze, H., Manning, C.D., Raghavan, P.: Introduction to Information Retrieval. Cambridge University Press, Cambridge (2008)
Le, Q., Mikolov, T.: Distributed representations of sentences and documents. In: International Conference on Machine Learning PMLR, pp. 1188–1196 (2014)
Mikolov, T., Sutskever, I., Chen, K., Corrado, G., Dean, J.: Distributed representations of words and phrases and their compositionality. In: Proceedings of the 27th Annual Conference on Neural Information Processing Systems (NIPS), pp. 3111–3119 (2013)
Velickovic, P., Cucurull, G., Casanova, A., Romero, A., Lio, P., Bengio, Y.: Graph attention networks. In: Proceedings of the 6th International Conference on Learning Representations (ICLR) (2018)
Kipf, T.N., Welling, M.: Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907 (2016)
Scikit-learn TfidfVectorizer. https://scikit-learn.org/stable/. Accessed 10 July 2021
Android Open Source Project (AOSP). https://source.android.com/. Accessed 10 July 2021
CovidLock: Android Ransomware Spreading Amid COVID-19 Epidemic. https://cyware.com/research-and-analysis/covidlock-android-ransomware-spreading-amid-covid-19-epidemic-4a5b/. Accessed 10 July 2021
The StrandHogg vulnerability. https://promon.co/security-news/strandhogg/. Accessed 10 July 2021
OWASP Benchmark Project. https://owasp.org/www-project-benchmark/. Accessed 10 July 2021
Google Security Bulletin. https://source.android.com/security/bulletin/2018-07-01. Accessed 10 July 2021
TinyPDG. https://github.com/YoshikiHigo/TinyPDG/. Accessed 10 Oct 2021
Joern Documentation. https://docs.joern.io/home. Accessed 10 Oct 2021
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Renjith, G., Aji, S. (2021). Vulnerability Analysis and Detection Using Graph Neural Networks for Android Operating System. In: Tripathy, S., Shyamasundar, R.K., Ranjan, R. (eds) Information Systems Security. ICISS 2021. Lecture Notes in Computer Science(), vol 13146. Springer, Cham. https://doi.org/10.1007/978-3-030-92571-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-92571-0_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-92570-3
Online ISBN: 978-3-030-92571-0
eBook Packages: Computer ScienceComputer Science (R0)