Design And Implementation Of Vulnerability Detection System Based On Knowledge Graph

With the development of information science and technology and the large-scale expansion of software requirements,the difficulty and timeliness of software development are becoming higher and higher,resulting in the application of software reuse technology.Developers can use components developed by others,or put their own software on public websites,which can not only use open source community resources to quickly achieve software functions,but also reduce the ineffective work caused by repeated development.However,this approach also brings new security problems.Attackers can use the software supply chain to attack the target software,such as replacing components with backdoors or viruses in the open software component library.Once developers use them,they will introduce new security risks.Because of the low cost and good effect of software supply chain attack,the attack of software supply chain is becoming more and more rampant.At present,the traditional research on software security mainly focuses on the security problems caused by developers in the development process,and does not detect the supply chain vulnerabilities introduced by third-party libraries.For this reason,this paper designs and implements a software supply chain vulnerability detection system based on knowledge graph.This paper takes the vulnerability and related component data in the NVD as the core data,and constructs a component-vulnerability knowledge graph.This paper also detects software supply chain vulnerabilities based on this knowledge graph.Compared with other vulnerability detection technologies,this system can effectively detect the vulnerabilities introduced by third-party libraries.In addition,the system can also recover the supply chain of software completely,which is helpful for developers to see through the deep dependency relationship of software.In this paper,the implementation system is tested from two aspects of function and performance.In terms of function,14000 pieces of vulnerability information and 12000 pieces of component information are collected and processed,and the construction of component-vulnerability knowledge graph and the vulnerability detection function of software supply chain are realized.In terms of performance,the tool achieves 85%accuracy in the test data,verifies the ability to detect vulnerabilities in the software supply chain.This paper also analyzes the causes of false positives and looks forward to the future development direction of the technology.