| With the development of the Internet era,the application of software technology is becoming more and more common,and the detection of vulnerabilities in the corresponding software requires efficiency and accuracy.However,software vulnerabilities are diverse,and detecting vulnerabilities through source code requires a high level of professional experience from developers.Previous vulnerability detection solutions either rely on expert-defined features or only use recursive neural networks only for code sequences,making it difficult to extract complex vulnerability features in the traditional code space.In recent years,with the booming development of artificial intelligence technology,some scholars have started to try to extract abstract representation graphs of source code and combine graph neural networks for software vulnerability detection.However,such research work is still in the exploratory stage.In this context,this paper investigates the work on source code vulnerability detection based on graphs.The main work done in this paper is as follows:First of all,the Expansion Code Property Graph(ECPG)is proposed and Fourier variation is introduced to focus on more valid node feature information.In this paper,we add three edge types to the Code Property Graph proposed by Yamaguchi et al[18].We construct the Extended Code Property Graph by focusing on the semantic information related to vulnerabilities such as the relationship between the sequence of variable usage and the order of statements inside conditional expressions.Based on the ECPG,this paper introduces the Fourier transform for feature extraction of the initial feature vector of the nodes in the graph.This initial feature vector is obtained by Wrod2Vec coding.It is proved through experiments that the Fourier transform operation brings a good effect improvement for vulnerability detection.Secondly,based on the Expansion Code Property Graph,the Graph Isomorphism Network(GIN),which currently performs well on graph classification tasks,is introduced.Based on its model,in order to effectively utilize the global information of all depths,this paper improves the aggregation operation of graph readout by combining the self-attention mechanism and proposes the Self Attention Readout Graph Isomorphism Network(SAR-GIN).Through experiments,it is proved that the SAR-GIN proposed in this paper has good vulnerability detection capability and possesses better results than the GIN model.Thirdly,inspired by SAR-GIN,this paper makes the same improvements to the Graph Convolutional Network(GCN)used in other vulnerability detection work and proposes the Self Attention Readout Graph Convolutional Network(SAR-GCN).It is proved through experiments that SAR-GCN has better vulnerability detection capability than GCN.Finally,in order to synthesize the two models proposed in this paper and further improve the effectiveness of source code vulnerability detection,an integrated model IVD(Integrated Vulnerability Detection)based on SAR-GIN and SAR-GCN is proposed in this paper.The IVD model is experimentally proven to have better detection than a single model.Using the dataset provided in the paper[28],the IVD method proposed in this paper was tested against three other base models,two open source static code scanning tools,and some existing deep learning-based detection methods.The experimental results demonstrate that the IVD method outperforms the other models in aggregate and can be effectively used in source code vulnerability detection. |
PDF Full Text Request