Abstract
Detecting software vulnerabilities is a crucial part of software security. At present, the most commonly used methods are to train supervised classification or regression models from the source code to detect vulnerabilities, which require lots of high-quality labeled vulnerabilities. However, high-quality labeled vulnerabilities are not easy to be obtained in practical applications. To alleviate this problem, we present an effective and unsupervised method to detect software vulnerabilities. We first propose a new source code representation that maintains both the source code’s natural language information and high-level programming logic information, and then we effectively embed the software function into a compact and low-dimensional representation based on hierarchical graph attention network. Finally, we obtain vulnerabilities by applying an outlier detection algorithm on the low-dimensional representation. We carry out extensive experiments on six datasets and the effectiveness of our proposed method is demonstrated by the experimental results.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Hin, D., Kan, A., Chen, H., Babar, M. A.: LineVD: statement-level vulnerability detection using graph neural networks. In: Proceedings of the 19th International Conference on Mining Software Repositories, pp. 596–607. ACM, Pittsburgh, PA, USA (2022)
Gupta, A., Suri, B., Kumar, V., Jain, P.: Extracting rules for vulnerabilities detection with static metrics using machine learning. Int. J. Syst. Assur. Eng. Manag. 12(1), 65–76 (2021)
Kronjee, J., Hommersom, A., Vranken, H.: Discovering software vulnerabilities using data-flow analysis and machine learning. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, pp. 6:1–6:10. Springer, Hamburg (2018)
Grieco, G., Grinblat, G. L., Uzal, L., Rawat, S., Feist, J., Mounier, L.: Toward Large-scale vulnerability discovery using machine learning. In: Proceedings of the Sixth ACM on Conference on Data and Application Security and Privacy, pp. 85–96. New Orleans, LA, USA (2016)
Liu, H., Lang, B.: Machine learning and deep learning methods for intrusion detection systems: a survey. Appl. Sci. 9(20), 4396 (2019)
Vishnu, P.R., Vinod, P., Yerima, S.Y.: A deep learning approach for classifying vulnerability descriptions using self attention based neural network. J. Netw. Syst. Manag. 30(1), 1–27 (2022)
Wartschinski, L., Noller, Y., Vogel, T., Kehrer, T., Grunske, L.: VUDENC: vulnerability detection with deep learning on a natural codebase for Python. Inf. Softw. Technol. 144, 106809 (2022)
Thapa, C., Jang, S. I., Ahmed, M. E., Camtepe, S., Pieprzyk, J., Nepal, S.: Transformer-based language models for software vulnerability detection. In: Proceedings of the 38th Annual Computer Security Applications Conference, pp. 481–496. Austin, TX, USA (2022)
Zhou, Y., Liu, S., Siow, J., Du, X., Liu, Y.: Devign: effective vulnerability identification by learning comprehensive program semantics via graph neural networks. In: Advances in Neural Information Processing Systems, vol. 32 (2019)
Zheng, W., Jiang, Y., Su, X.: Vu1SPG: vulnerability detection based on slice property graph representation learning. In: 2021 IEEE 32nd International Symposium on Software Reliability Engineering (ISSRE), pp. 457–467. IEEE, Vancouver, BC, Canada (2021)
Cheng, X., Wang, H., Hua, J., Xu, G., Sui, Y.: Deepwukong: statically detecting software vulnerabilities using deep graph neural network. ACM Trans. Softw. Eng. Methodol. (TOSEM) 30(3) (2021)
Nguyen, V.A., Nguyen, D.Q., Nguyen, V., Le, T., Tran, Q.H., Phung, D.: ReGVD: revisiting graph neural networks for vulnerability detection. In: Proceedings of the ACM/IEEE 44th International Conference on Software Engineering: Companion Proceedings, pp. 178–182. ACM/IEEE, Pittsburgh, PA, USA (2022)
Devlin, J., Chang, M., Lee, K., Toutanova, K.: BERT: pre-training of deep bidirectional transformers for language understanding. ar**v preprint ar**v:1810.04805, (2018)
Zeng, J., Liu, T., Jia, W., Zhou, J.: Fine-grained question-answer sentiment classification with hierarchical graph attention network. Neurocomputing 457 (2021)
Li, Z., et al.: Vuldeepecker: a deep learning-based system for vulnerability detection. In: 25th Annual Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA (2018)
Zou, D., Wang, S., Xu, S., Li, Z., **, H.:\(\mu \)VulDeePecker: a deep learning-based system for multiclass vulnerability detection. IEEE Trans. Depend. Secure Comput. 18(5) (2019)
Hao, Y., Dong, Li., Wei, F., Xu, K.: Visualizing and understanding the effectiveness of BERT. In: EMNLP-IJCNLP 2019, pp. 4141–4150. Hong Kong, China (2019)
Yamaguchi, F., Golde, N., Arp, D., Rieck, K.: Modeling and discovering vulnerabilities with code property graphs. In: 2014 IEEE Symposium on Security and Privacy, pp. 590–604. IEEE, Berkeley, California, USA (2014)
Veličković, P., Cucurull, G., Casanova, A., Romero, A., Lio, P., Bengio, Y.: Graph attention networks. In: 6th International Conference on Learning Representations (ICLR), Vancouver, BC, Canada (2018)
Xu. W., Li, T., Wang, J., Tang, Y.: Detecting vulnerable software functions via text and dependency features. Soft Comput. 27(9), (2023)
Zhang, S., Yao, Y., Hu, J., Zhao, Y., Li, S., Hu, J.: Deep autoencoder neural networks for short-term traffic congestion prediction of transportation networks, 19(10) (2019)
Breunig, M.M., Kriegel, H., Ng, R.T., Sander, J.: LOF: identifying density-based local outliers. In: Proceedings of the 2000 ACM SIGMOD International Conference on Management of Data, pp. 93–104. ACM, Dallas, Texas, USA (2000)
Chakraborty, S., Krishna, R., Ding, Y., Ray, B.: Deep learning based vulnerability detection: are we there yet. IEEE Trans. Softw. Eng. 48(9) (2021)
FlawFinder https://dwheeler.com/flawfinder/
Rats. https://code.google.com/archive/p/rough-auditing-tool-for-security/
Joern. https://joern.io/
Acknowledgements
This work was supported by Program of Yunnan Key Laboratory of Intelligent Systems and Computing (202205AG070003) and Natural Science Foundation of Yunnan Provincial Department of Education (2021J0567).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Xu, W., Li, T., Wang, J., Fu, T., Tang, Y. (2024). Detecting Software Vulnerabilities Based on Hierarchical Graph Attention Network. In: Fang, L., Pei, J., Zhai, G., Wang, R. (eds) Artificial Intelligence. CICAI 2023. Lecture Notes in Computer Science(), vol 14474. Springer, Singapore. https://doi.org/10.1007/978-981-99-9119-8_11
Download citation
DOI: https://doi.org/10.1007/978-981-99-9119-8_11
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-9118-1
Online ISBN: 978-981-99-9119-8
eBook Packages: Computer ScienceComputer Science (R0)