Skip to main content
SpringerLink
Log in

Vulnerability Analysis and Detection Using Graph Neural Networks for Android Operating System

  • Conference paper
  • First Online:
Information Systems Security (ICISS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13146))

Included in the following conference series:

  • 647 Accesses

Abstract

Android operating system approximately contains around 93 million lines of code, mainly consisting of C, C++ and Java languages. There is no strict software engineering life-cycle followed during Android software development, and hence the design flaws and vulnerabilities are largely reported. Rising security attacks targeting Android manifests the importance of early detection of vulnerabilities in Android operating system. The existing mechanisms either focus on Android Apps or short code differences of the Android framework, and hence they are less effective for Android operating system. In this work, we extracted all the officially reported publicly accessible Android Java vulnerabilities in application and framework layers from 2015 till June 2021. The extracted vulnerable and corresponding fixed (secure) code are then converted into the graphical form using different intermediate graph representations, and then graph features are extracted. Vectorization techniques are used for converting node features of the graph into numerical formats. A vulnerability detection mechanism based on Graph Neural Network is designed and achieved an F1-score of 0.92. To the best of our knowledge, this will be one of the first works for Android operating system source code vulnerability detection technique exploiting the potential of Graph Neural Networks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Namrud, Z., Kpodjedo, S., Talhi, C.: AndroVul: a repository for Android security vulnerabilities. In: Proceedings of the 29th Annual International Conference on Computer Science and Software Engineering, pp. 64–71 (2019)

    Google Scholar 

  2. Gao, J., Li, L., Kong, P., Bissyandé, T.F., Klein, J.: Understanding the evolution of android app vulnerabilities. IEEE Trans. Reliab. 212–230 (2019)

    Google Scholar 

  3. Linares-Vásquez, M., Bavota, G., Escobar-Velásquez, C.: An empirical study on android-related vulnerabilities. In: IEEE/ACM 14th International Conference on Mining Software Repositories (MSR), pp. 2–13 (2017)

    Google Scholar 

  4. Wu, D., Gao, D., Cheng, E. K., Cao, Y., Jiang, J., Deng, R. H.: Towards understanding Android system vulnerabilities: techniques and insights. In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security, pp. 295–306 (2019)

    Google Scholar 

  5. Ghaffarian, S. M., Shahriari, H. R.: Neural software vulnerability analysis using rich intermediate graph representations of programs. In: Information Sciences, pp. 189–207 (2021)

    Google Scholar 

  6. Bilgin, Z., Ersoy, M.A., Soykan, E.U., Tomur, E., Çomak, P., Karaçay, L.: Vulnerability prediction from source code using machine learning. IEEE Access 8, 150672–150684 (2020)

    Article  Google Scholar 

  7. Li, Y., Ma, L., Shen, L., Lv, J., Zhang, P.: Open source software security vulnerability detection based on dynamic behavior features. PloS One 14(8), e0221530 (2019)

    Article  Google Scholar 

  8. Li, X., Wang, L., Xin, Y., Yang, Y., Chen, Y.: Automated vulnerability detection in source code using minimum intermediate representation learning. Appl. Sci. 10(5), 1692 (2020)

    Article  Google Scholar 

  9. Suneja, S., Zheng, Y., Zhuang, Y., Laredo, J., Morari, A.: Learning to map source code to software vulnerability using code-as-a-graph. arXiv preprint arXiv:2006.08614 (2020)

  10. Iadarola, G.: Graph-based classification for detecting instances of bug patterns. Master’s thesis, University of Twente (2018). http://essay.utwente.nl/76802/

  11. Russell, R., et al.: Automated vulnerability detection in source code using deep representation learning. In: 17th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 757–762 (2018)

    Google Scholar 

  12. Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: IEEE Symposium on Security and Privacy, pp. 590–604 (2014)

    Google Scholar 

  13. Google Android Security Bulletin. https://source.android.com/security/bulletin. Accessed 10 July 2021

  14. CVE - Home. https://cve.mitre.org/index.html. Accessed 10 July 2021

  15. NVD - Home. https://nvd.nist.gov/. Accessed 10 July 2021

  16. Liang, H., Sun, L., Wang, M., Yang, Y.: Deep learning with customized abstract syntax tree for bug localization. IEEE Access 7, 116309–116320 (2019)

    Article  Google Scholar 

  17. Gensim. https://radimrehurek.com/gensim/models/doc2vec.html. Accessed 10 July 2021

  18. Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. In: Paul, M., Robinet, B. (eds.) Programming 1984. LNCS, vol. 167, pp. 125–132. Springer, Heidelberg (1984). https://doi.org/10.1007/3-540-12925-1_33

    Chapter  Google Scholar 

  19. The Code Property Graph. https://plume-oss.github.io/plume-docs/plume-basics/code-property-graph/. Accessed 10 July 2021

  20. Pytorch Geometric. https://pytorch-geometric.readthedocs.io/en/latest/. Accessed 10 July 2021

  21. Schütze, H., Manning, C.D., Raghavan, P.: Introduction to Information Retrieval. Cambridge University Press, Cambridge (2008)

    MATH  Google Scholar 

  22. Le, Q., Mikolov, T.: Distributed representations of sentences and documents. In: International Conference on Machine Learning PMLR, pp. 1188–1196 (2014)

    Google Scholar 

  23. Mikolov, T., Sutskever, I., Chen, K., Corrado, G., Dean, J.: Distributed representations of words and phrases and their compositionality. In: Proceedings of the 27th Annual Conference on Neural Information Processing Systems (NIPS), pp. 3111–3119 (2013)

    Google Scholar 

  24. Velickovic, P., Cucurull, G., Casanova, A., Romero, A., Lio, P., Bengio, Y.: Graph attention networks. In: Proceedings of the 6th International Conference on Learning Representations (ICLR) (2018)

    Google Scholar 

  25. Kipf, T.N., Welling, M.: Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907 (2016)

  26. Scikit-learn TfidfVectorizer. https://scikit-learn.org/stable/. Accessed 10 July 2021

  27. Android Open Source Project (AOSP). https://source.android.com/. Accessed 10 July 2021

  28. CovidLock: Android Ransomware Spreading Amid COVID-19 Epidemic. https://cyware.com/research-and-analysis/covidlock-android-ransomware-spreading-amid-covid-19-epidemic-4a5b/. Accessed 10 July 2021

  29. The StrandHogg vulnerability. https://promon.co/security-news/strandhogg/. Accessed 10 July 2021

  30. OWASP Benchmark Project. https://owasp.org/www-project-benchmark/. Accessed 10 July 2021

  31. Google Security Bulletin. https://source.android.com/security/bulletin/2018-07-01. Accessed 10 July 2021

  32. TinyPDG. https://github.com/YoshikiHigo/TinyPDG/. Accessed 10 Oct 2021

  33. Joern Documentation. https://docs.joern.io/home. Accessed 10 Oct 2021

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science, University of Kerala, Thiruvananthapuram, Kerala, India

    G. Renjith & S. Aji

Authors
  1. G. Renjith
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. S. Aji
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to G. Renjith .

Editor information

Editors and Affiliations

  1. Indian Institute of Technology Patna, Patna, India

    Somanath Tripathy

  2. Indian Institute of Technology Bombay, Mumbai, India

    Rudrapatna K. Shyamasundar

  3. Newcastle University, Newcastle upon Tyne, UK

    Rajiv Ranjan

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Renjith, G., Aji, S. (2021). Vulnerability Analysis and Detection Using Graph Neural Networks for Android Operating System. In: Tripathy, S., Shyamasundar, R.K., Ranjan, R. (eds) Information Systems Security. ICISS 2021. Lecture Notes in Computer Science(), vol 13146. Springer, Cham. https://doi.org/10.1007/978-3-030-92571-0_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-92571-0_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-92570-3

  • Online ISBN: 978-3-030-92571-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation