摘要
软件漏洞严重威胁了计算机系统和软件的安全稳定运行,因此针对其自动检测的相关研究一直受到广泛关注.与传统静态漏洞检测工具采用人类专家提供的预定义规则进行代码分析不同,基于图神经网络(GNN)的漏洞检测方法通过自动学习易受攻击的代码模式,在一些数据集上的检测效果已经超越传统方法.然而,目前基于GNN的漏洞检测方法中,由于未结合代码自身特点对GNN模型进行设计,导致在真实漏洞代码数据集上检测效果较差.提出一种可学习的层次化图表示的漏洞检测方法 LHG-VD,其特点是针对传统读出函数的局限提出一种可学习的读出函数,针对图池化过程中的代码局部结构信息保持问题设计了一种基于对比学习思想的跨粒度损失函数.在真实漏洞数据集的实验结果表明,LHG-VD的F1值为71.5%,与切片级检测方法 DeepWukong相比提升4.9个百分点,与函数级检测方法 AMPLE相比提升8.9个百分点.
Software vulnerabilities pose a serious threat to the safe and stable operation of computer systems and software,so the research related to their automatic detection has been receiving extensive attention.Unlike traditional static vulnerability detection tools that use predefined rules provided by human experts to analyze the code,graph neural network(GNN)-based vulnerability detection methods have surpassed the traditional methods in some datasets by automatically learning the vulnerable code patterns.However,in the current GNN-based vulnerability detection methods,the design of GNN model is not combined with the characteristics of the code itself,which leads to poor detection effect on the real vulnerability code dataset.In this paper,we propose a learnable hierarchical graph representation vulnerability detection method LHG-VD,which is characterized by proposing a learnable readout function for the limitation of the traditional readout function,and designing a cross-granularity loss function based on the idea of comparative learning for the problem of maintaining the local structural information of the code in the process of graph pooling.Experimental results on real vulnerability datasets show that the F1 value of LHG-VD is 71.5%,which is improved by 4.9%compared with DeepWukong,a slice-level detection method,and 8.9%compared with AMPLE,a function-level detection method.
作者
胡菘
罗嘉驰
万文凯
闫阳
郭帆
曲彦文
Hu Song;Luo Jiachi;Wan Wenkai;Yan Yang;Guo Fan;Qu Yanwen(School of Digital Industry,Jiangxi Normal University,Shangrao,Jiangxi 334006;School of Computer Information Engineering,Jiangxi Normal University,Nanchang 330022)
出处
《计算机研究与发展》
北大核心
2025年第9期2348-2361,共14页
Journal of Computer Research and Development
基金
国家自然科学基金项目(61967011)。
关键词
漏洞检测
深度学习
图神经网络
对比学习
图池化
vulnerability detection
deep learning
graph neural network
comparative learning
graph pooling
