BGNN4VD: Constructing Bidirectional Graph Neural-Network for Vulnerability Detection

Cao, Sicong; Sun, Xiaobing; Bo, Lili; Wei, Ying; Li, Bin

doi:10.1016/j.infsof.2021.106576

Cited by 129 publications

(73 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For software vulnerability detection, prior approaches have utilized document embedding methods like Doc2Vec [29], or word embedding methods such as GloVe [47] and Word2Vec [43] to generate pre-trained vectors for singular tokens, which are then aggregated in some way. For example, Cao et al [9] utilized averaged Word2Vec embeddings to transform raw code statements into vector representations.…”

Section: Source Code Embeddingmentioning

confidence: 99%

“…The model outputs often present developers with limited information for prediction outcome validation and interpretation, leading to extra efforts when evaluating and mitigating the software vulnerabilities. Consequently, many proposed SVD solutions have transitioned to either function-level [9,10,32,61] or slice-level [12,33,35,36] predictions, which are a major improvement from file-level predictions [16,24,52]. Some other works further leverage supplementary information, such as commit-level code changes with accompanying log messages, to build the prediction model [23,49].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

LineVD: Statement-level Vulnerability Detection using Graph Neural Networks

Hin¹,

Kan²,

Chen³

et al. 2022

Preprint

View full text Add to dashboard Cite

Current machine-learning based software vulnerability detection methods are primarily conducted at the function-level. However, a key limitation of these methods is that they do not indicate the specific lines of code contributing to vulnerabilities. This limits the ability of developers to efficiently inspect and interpret the predictions from a learnt model, which is crucial for integrating machine-learning based tools into the software development workflow. Graph-based models have shown promising performance in function-level vulnerability detection, but their capability for statement-level vulnerability detection has not been extensively explored. While interpreting function-level predictions through explainable AI is one promising direction, we herein consider the statement-level software vulnerability detection task from a fully supervised learning perspective. We propose a novel deep learning framework, LineVD, which formulates statement-level vulnerability detection as a node classification task. LineVD leverages control and data dependencies between statements using graph neural networks, and a transformer-based model to encode the raw source code tokens. In particular, by addressing the conflicting outputs between function-level and statement-level information, LineVD significantly improve the prediction performance without vulnerability status for function code. We have conducted extensive experiments against a large-scale collection of real-world C/C++ vulnerabilities obtained from multiple real-world projects, and demonstrate an increase of 105% in F1-score over the current state-of-the-art.

show abstract

Section: Source Code Embeddingmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

LineVD: Statement-level Vulnerability Detection using Graph Neural Networks

Hin¹,

Kan²,

Chen³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…CFGs form the entire representation of the Android application. It forms a graph consisting of finite sets of nodes (N) [23] of the documented API calls and the finite set of edges (E) [24], which link successive instructions. Control Flow Graph (CFG) is a directed graph description of how a program is controlled during execution.…”

Section: Api Callsmentioning

confidence: 99%

Modeling Correlation between Android Permissions Based on Threat and Protection Level Using Exploratory Factor Plane Analysis

Ashawa

Morris

2021

JCP

View full text Add to dashboard Cite

The evolution of mobile technology has increased correspondingly with the number of attacks on mobile devices. Malware attack on mobile devices is one of the top security challenges the mobile community faces daily. While malware classification and detection tools are being developed to fight malware infection, hackers keep deploying different infection strategies, including permissions usage. Among mobile platforms, Android is the most targeted by malware because of its open OS and popularity. Permissions is one of the major security techniques used by Android and other mobile platforms to control device resources and enhance access control. In this study, we used the t-Distribution stochastic neighbor embedding (t-SNE) and Self-Organizing Map techniques to produce a visualization method using exploratory factor plane analysis to visualize permissions correlation in Android applications. Two categories of datasets were used for this study: the benign and malicious datasets. Dataset was obtained from Contagio, VirusShare, VirusTotal, and Androzoo repositories. A total of 12,267 malicious and 10,837 benign applications with different categories were used. We demonstrate that our method can identify the correlation between permissions and classify Android applications based on their protection and threat level. Our results show that every permission has a threat level. This signifies those permissions with the same protection level have the same threat level.

show abstract

“…Cao et al collected a C/C++ vulnerability dataset from GitHub and the National Vulnerability Database, consisting of 2149 vulnerabilities [57]. They used the dataset to train a bi-directional graph neural network for a vulnerability detection system.…”

Section: Vulnerability Datasetsmentioning

confidence: 99%

Neural Transfer Learning for Repairing Security Vulnerabilities in C Code

Chen,

Kommrusch,

Monperrus

2021

Preprint

View full text Add to dashboard Cite

In this paper, we address the problem of automatic repair of software vulnerabilities with deep learning. The major problem with data-driven vulnerability repair is that the few existing datasets of known confirmed vulnerabilities consist of only a few thousand examples. However, training a deep learning model often requires hundreds of thousands of examples. In this work, we leverage the intuition that the bug fixing task and the vulnerability fixing task are related, and the knowledge learned from bug fixes can be transferred to fixing vulnerabilities. In the machine learning community, this technique is called transfer learning. In this paper, we propose an approach for repairing security vulnerabilities named VRepair which is based on transfer learning. VRepair is first trained on a large bug fix corpus, and is then tuned on a vulnerability fix dataset, which is an order of magnitudes smaller. In our experiments, we show that a model trained only on a bug fix corpus can already fix some vulnerabilities. Then, we demonstrate that transfer learning improves the ability to repair vulnerable C functions. In the end, we present evidence that transfer learning produces more stable and superior neural models for vulnerability repair.

show abstract

BGNN4VD: Constructing Bidirectional Graph Neural-Network for Vulnerability Detection

Cited by 129 publications

References 12 publications

LineVD: Statement-level Vulnerability Detection using Graph Neural Networks

LineVD: Statement-level Vulnerability Detection using Graph Neural Networks

Modeling Correlation between Android Permissions Based on Threat and Protection Level Using Exploratory Factor Plane Analysis

Neural Transfer Learning for Repairing Security Vulnerabilities in C Code

Contact Info

Product

Resources

About