BGNN4VD: Constructing Bidirectional Graph Neural-Network for Vulnerability Detection
Previous studies have shown that existing deep learning-based approaches can significantly improve the performance of vulnerability detection. They represent code in various forms and mine vulnerability features with deep learning models. However, the differences of code representation forms and dee...
Gespeichert in:
| Veröffentlicht in: | Information and software technology 2021-08, Vol.136, p.106576, Article 106576 |
|---|---|
| Hauptverfasser: | , , , , |
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | 106576 |
| container_title | Information and software technology |
| container_volume | 136 |
| creator | Cao, Sicong Sun, Xiaobing Bo, Lili Wei, Ying Li, Bin |
| description | Previous studies have shown that existing deep learning-based approaches can significantly improve the performance of vulnerability detection. They represent code in various forms and mine vulnerability features with deep learning models. However, the differences of code representation forms and deep learning models make various approaches still have some limitations. In practice, their false-positive rate (FPR) and false-negative rate (FNR) are still high.
To address the limitations of existing deep learning-based vulnerability detection approaches, we propose BGNN4VD (Bidirectional Graph Neural Network for Vulnerability Detection), a vulnerability detection approach by constructing a Bidirectional Graph Neural-Network (BGNN).
In Phase 1, we extract the syntax and semantic information of source code through abstract syntax tree (AST), control flow graph (CFG), and data flow graph (DFG). Then in Phase 2, we use vectorized source code as input to Bidirectional Graph Neural-Network (BGNN). In Phase 3, we learn the different features between vulnerable code and non-vulnerable code by introducing backward edges on the basis of traditional Graph Neural-Network (GNN). Finally in Phase 4, a Convolutional Neural-Network (CNN) is used to further extract features and detect vulnerabilities through a classifier.
We evaluate BGNN4VD on four popular C/C++ projects from NVD and GitHub, and compare it with four state-of-the-art (Flawfinder, RATS, SySeVR, and VUDDY) vulnerab ility detection approaches. Experiment results show that, when compared these baselines, BGNN4VD achieves 4.9%, 11.0%, and 8.4% improvement in F1-measure, accuracy and precision, respectively.
The proposed BGNN4VD achieves a higher precision and accuracy than the state-of-the-art methods. In addition, when applied on the latest vulnerabilities reported by CVE, BGNN4VD can still achieve a precision at 45.1%, which demonstrates the feasibility of BGNN4VD in practical application. |
| doi_str_mv | 10.1016/j.infsof.2021.106576 |
| format | Article |
| fullrecord | <record><control><sourceid>elsevier_webof</sourceid><recordid>TN_cdi_webofscience_primary_000655363900005</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S0950584921000586</els_id><sourcerecordid>S0950584921000586</sourcerecordid><originalsourceid>FETCH-LOGICAL-c306t-e698b9a007cce88d664f83e3be553c9492141b50965047daea4c0b2ffaeeffed3</originalsourceid><addsrcrecordid>eNqNkMFOwzAMhiMEEmPwBhx6Rx1O06QtByTWwUCaxmXsGqWpAxmlmdKWaW9Pp04cESdb1v9Z9kfINYUJBSpuNxNbm8aZSQQR7UeCJ-KEjGiasFBAxE_JCDIOIU_j7JxcNM0GgCbAYERW0_lyGa9nd0Hu6qb1nW5t_R5MbWk99r2rVRXMvdp-BEvsvKrCJbY75z8D43yw7qoavSpsZdt9MMN2QC7JmVFVg1fHOiZvT4-r_DlcvM5f8odFqBmINkSRpUWmABKtMU1LIWKTMmQFcs50FmcRjWnBIRMc4qRUqGINRWSMQjQGSzYm8bBXe9c0Ho3cevul_F5SkAczciMHM_JgRg5meiwdsB0WzjTaYq3xFwXoU5wJlvUd8Ny26vBT7rq67dGb_6N9-n5IYy_h26KXR2KQK0tn_770B0WpkEo</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>BGNN4VD: Constructing Bidirectional Graph Neural-Network for Vulnerability Detection</title><source>Web of Science - Science Citation Index Expanded - 2021<img src="https://exlibris-pub.s3.amazonaws.com/fromwos-v2.jpg" /></source><source>Access via ScienceDirect (Elsevier)</source><creator>Cao, Sicong ; Sun, Xiaobing ; Bo, Lili ; Wei, Ying ; Li, Bin</creator><creatorcontrib>Cao, Sicong ; Sun, Xiaobing ; Bo, Lili ; Wei, Ying ; Li, Bin</creatorcontrib><description>Previous studies have shown that existing deep learning-based approaches can significantly improve the performance of vulnerability detection. They represent code in various forms and mine vulnerability features with deep learning models. However, the differences of code representation forms and deep learning models make various approaches still have some limitations. In practice, their false-positive rate (FPR) and false-negative rate (FNR) are still high.
To address the limitations of existing deep learning-based vulnerability detection approaches, we propose BGNN4VD (Bidirectional Graph Neural Network for Vulnerability Detection), a vulnerability detection approach by constructing a Bidirectional Graph Neural-Network (BGNN).
In Phase 1, we extract the syntax and semantic information of source code through abstract syntax tree (AST), control flow graph (CFG), and data flow graph (DFG). Then in Phase 2, we use vectorized source code as input to Bidirectional Graph Neural-Network (BGNN). In Phase 3, we learn the different features between vulnerable code and non-vulnerable code by introducing backward edges on the basis of traditional Graph Neural-Network (GNN). Finally in Phase 4, a Convolutional Neural-Network (CNN) is used to further extract features and detect vulnerabilities through a classifier.
We evaluate BGNN4VD on four popular C/C++ projects from NVD and GitHub, and compare it with four state-of-the-art (Flawfinder, RATS, SySeVR, and VUDDY) vulnerab ility detection approaches. Experiment results show that, when compared these baselines, BGNN4VD achieves 4.9%, 11.0%, and 8.4% improvement in F1-measure, accuracy and precision, respectively.
The proposed BGNN4VD achieves a higher precision and accuracy than the state-of-the-art methods. In addition, when applied on the latest vulnerabilities reported by CVE, BGNN4VD can still achieve a precision at 45.1%, which demonstrates the feasibility of BGNN4VD in practical application.</description><identifier>ISSN: 0950-5849</identifier><identifier>EISSN: 1873-6025</identifier><identifier>DOI: 10.1016/j.infsof.2021.106576</identifier><language>eng</language><publisher>AMSTERDAM: Elsevier B.V</publisher><subject>Bidirectional Graph Neural-Network ; Code representation ; Computer Science ; Computer Science, Information Systems ; Computer Science, Software Engineering ; Science & Technology ; Technology ; Vulnerability detection</subject><ispartof>Information and software technology, 2021-08, Vol.136, p.106576, Article 106576</ispartof><rights>2021</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>true</woscitedreferencessubscribed><woscitedreferencescount>106</woscitedreferencescount><woscitedreferencesoriginalsourcerecordid>wos000655363900005</woscitedreferencesoriginalsourcerecordid><citedby>FETCH-LOGICAL-c306t-e698b9a007cce88d664f83e3be553c9492141b50965047daea4c0b2ffaeeffed3</citedby><cites>FETCH-LOGICAL-c306t-e698b9a007cce88d664f83e3be553c9492141b50965047daea4c0b2ffaeeffed3</cites><orcidid>0000-0001-5165-5080 ; 0000-0003-3688-4437</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://dx.doi.org/10.1016/j.infsof.2021.106576$$EHTML$$P50$$Gelsevier$$H</linktohtml><link.rule.ids>315,781,785,3551,27929,27930,39263,46000</link.rule.ids></links><search><creatorcontrib>Cao, Sicong</creatorcontrib><creatorcontrib>Sun, Xiaobing</creatorcontrib><creatorcontrib>Bo, Lili</creatorcontrib><creatorcontrib>Wei, Ying</creatorcontrib><creatorcontrib>Li, Bin</creatorcontrib><title>BGNN4VD: Constructing Bidirectional Graph Neural-Network for Vulnerability Detection</title><title>Information and software technology</title><addtitle>INFORM SOFTWARE TECH</addtitle><description>Previous studies have shown that existing deep learning-based approaches can significantly improve the performance of vulnerability detection. They represent code in various forms and mine vulnerability features with deep learning models. However, the differences of code representation forms and deep learning models make various approaches still have some limitations. In practice, their false-positive rate (FPR) and false-negative rate (FNR) are still high.
To address the limitations of existing deep learning-based vulnerability detection approaches, we propose BGNN4VD (Bidirectional Graph Neural Network for Vulnerability Detection), a vulnerability detection approach by constructing a Bidirectional Graph Neural-Network (BGNN).
In Phase 1, we extract the syntax and semantic information of source code through abstract syntax tree (AST), control flow graph (CFG), and data flow graph (DFG). Then in Phase 2, we use vectorized source code as input to Bidirectional Graph Neural-Network (BGNN). In Phase 3, we learn the different features between vulnerable code and non-vulnerable code by introducing backward edges on the basis of traditional Graph Neural-Network (GNN). Finally in Phase 4, a Convolutional Neural-Network (CNN) is used to further extract features and detect vulnerabilities through a classifier.
We evaluate BGNN4VD on four popular C/C++ projects from NVD and GitHub, and compare it with four state-of-the-art (Flawfinder, RATS, SySeVR, and VUDDY) vulnerab ility detection approaches. Experiment results show that, when compared these baselines, BGNN4VD achieves 4.9%, 11.0%, and 8.4% improvement in F1-measure, accuracy and precision, respectively.
The proposed BGNN4VD achieves a higher precision and accuracy than the state-of-the-art methods. In addition, when applied on the latest vulnerabilities reported by CVE, BGNN4VD can still achieve a precision at 45.1%, which demonstrates the feasibility of BGNN4VD in practical application.</description><subject>Bidirectional Graph Neural-Network</subject><subject>Code representation</subject><subject>Computer Science</subject><subject>Computer Science, Information Systems</subject><subject>Computer Science, Software Engineering</subject><subject>Science & Technology</subject><subject>Technology</subject><subject>Vulnerability detection</subject><issn>0950-5849</issn><issn>1873-6025</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2021</creationdate><recordtype>article</recordtype><sourceid>HGBXW</sourceid><recordid>eNqNkMFOwzAMhiMEEmPwBhx6Rx1O06QtByTWwUCaxmXsGqWpAxmlmdKWaW9Pp04cESdb1v9Z9kfINYUJBSpuNxNbm8aZSQQR7UeCJ-KEjGiasFBAxE_JCDIOIU_j7JxcNM0GgCbAYERW0_lyGa9nd0Hu6qb1nW5t_R5MbWk99r2rVRXMvdp-BEvsvKrCJbY75z8D43yw7qoavSpsZdt9MMN2QC7JmVFVg1fHOiZvT4-r_DlcvM5f8odFqBmINkSRpUWmABKtMU1LIWKTMmQFcs50FmcRjWnBIRMc4qRUqGINRWSMQjQGSzYm8bBXe9c0Ho3cevul_F5SkAczciMHM_JgRg5meiwdsB0WzjTaYq3xFwXoU5wJlvUd8Ny26vBT7rq67dGb_6N9-n5IYy_h26KXR2KQK0tn_770B0WpkEo</recordid><startdate>202108</startdate><enddate>202108</enddate><creator>Cao, Sicong</creator><creator>Sun, Xiaobing</creator><creator>Bo, Lili</creator><creator>Wei, Ying</creator><creator>Li, Bin</creator><general>Elsevier B.V</general><general>Elsevier</general><scope>BLEPL</scope><scope>DTL</scope><scope>HGBXW</scope><scope>AAYXX</scope><scope>CITATION</scope><orcidid>https://orcid.org/0000-0001-5165-5080</orcidid><orcidid>https://orcid.org/0000-0003-3688-4437</orcidid></search><sort><creationdate>202108</creationdate><title>BGNN4VD: Constructing Bidirectional Graph Neural-Network for Vulnerability Detection</title><author>Cao, Sicong ; Sun, Xiaobing ; Bo, Lili ; Wei, Ying ; Li, Bin</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c306t-e698b9a007cce88d664f83e3be553c9492141b50965047daea4c0b2ffaeeffed3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2021</creationdate><topic>Bidirectional Graph Neural-Network</topic><topic>Code representation</topic><topic>Computer Science</topic><topic>Computer Science, Information Systems</topic><topic>Computer Science, Software Engineering</topic><topic>Science & Technology</topic><topic>Technology</topic><topic>Vulnerability detection</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Cao, Sicong</creatorcontrib><creatorcontrib>Sun, Xiaobing</creatorcontrib><creatorcontrib>Bo, Lili</creatorcontrib><creatorcontrib>Wei, Ying</creatorcontrib><creatorcontrib>Li, Bin</creatorcontrib><collection>Web of Science Core Collection</collection><collection>Science Citation Index Expanded</collection><collection>Web of Science - Science Citation Index Expanded - 2021</collection><collection>CrossRef</collection><jtitle>Information and software technology</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Cao, Sicong</au><au>Sun, Xiaobing</au><au>Bo, Lili</au><au>Wei, Ying</au><au>Li, Bin</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>BGNN4VD: Constructing Bidirectional Graph Neural-Network for Vulnerability Detection</atitle><jtitle>Information and software technology</jtitle><stitle>INFORM SOFTWARE TECH</stitle><date>2021-08</date><risdate>2021</risdate><volume>136</volume><spage>106576</spage><pages>106576-</pages><artnum>106576</artnum><issn>0950-5849</issn><eissn>1873-6025</eissn><abstract>Previous studies have shown that existing deep learning-based approaches can significantly improve the performance of vulnerability detection. They represent code in various forms and mine vulnerability features with deep learning models. However, the differences of code representation forms and deep learning models make various approaches still have some limitations. In practice, their false-positive rate (FPR) and false-negative rate (FNR) are still high.
To address the limitations of existing deep learning-based vulnerability detection approaches, we propose BGNN4VD (Bidirectional Graph Neural Network for Vulnerability Detection), a vulnerability detection approach by constructing a Bidirectional Graph Neural-Network (BGNN).
In Phase 1, we extract the syntax and semantic information of source code through abstract syntax tree (AST), control flow graph (CFG), and data flow graph (DFG). Then in Phase 2, we use vectorized source code as input to Bidirectional Graph Neural-Network (BGNN). In Phase 3, we learn the different features between vulnerable code and non-vulnerable code by introducing backward edges on the basis of traditional Graph Neural-Network (GNN). Finally in Phase 4, a Convolutional Neural-Network (CNN) is used to further extract features and detect vulnerabilities through a classifier.
We evaluate BGNN4VD on four popular C/C++ projects from NVD and GitHub, and compare it with four state-of-the-art (Flawfinder, RATS, SySeVR, and VUDDY) vulnerab ility detection approaches. Experiment results show that, when compared these baselines, BGNN4VD achieves 4.9%, 11.0%, and 8.4% improvement in F1-measure, accuracy and precision, respectively.
The proposed BGNN4VD achieves a higher precision and accuracy than the state-of-the-art methods. In addition, when applied on the latest vulnerabilities reported by CVE, BGNN4VD can still achieve a precision at 45.1%, which demonstrates the feasibility of BGNN4VD in practical application.</abstract><cop>AMSTERDAM</cop><pub>Elsevier B.V</pub><doi>10.1016/j.infsof.2021.106576</doi><tpages>11</tpages><orcidid>https://orcid.org/0000-0001-5165-5080</orcidid><orcidid>https://orcid.org/0000-0003-3688-4437</orcidid></addata></record> |
| fulltext | fulltext |
| identifier | ISSN: 0950-5849 |
| ispartof | Information and software technology, 2021-08, Vol.136, p.106576, Article 106576 |
| issn | 0950-5849 1873-6025 |
| language | eng |
| recordid | cdi_webofscience_primary_000655363900005 |
| source | Web of Science - Science Citation Index Expanded - 2021<img src="https://exlibris-pub.s3.amazonaws.com/fromwos-v2.jpg" />; Access via ScienceDirect (Elsevier) |
| subjects | Bidirectional Graph Neural-Network Code representation Computer Science Computer Science, Information Systems Computer Science, Software Engineering Science & Technology Technology Vulnerability detection |
| title | BGNN4VD: Constructing Bidirectional Graph Neural-Network for Vulnerability Detection |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-14T20%3A40%3A59IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-elsevier_webof&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=BGNN4VD:%20Constructing%20Bidirectional%20Graph%20Neural-Network%20for%20Vulnerability%20Detection&rft.jtitle=Information%20and%20software%20technology&rft.au=Cao,%20Sicong&rft.date=2021-08&rft.volume=136&rft.spage=106576&rft.pages=106576-&rft.artnum=106576&rft.issn=0950-5849&rft.eissn=1873-6025&rft_id=info:doi/10.1016/j.infsof.2021.106576&rft_dat=%3Celsevier_webof%3ES0950584921000586%3C/elsevier_webof%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_els_id=S0950584921000586&rfr_iscdi=true |