nach oben

The Journal of Supercomputing

Erschienen in:

05.05.2023

A novel approach for software vulnerability detection based on intelligent cognitive computing

verfasst von: Cho Do Xuan, Dao Hoang Mai, Ma Cong Thanh, Bui Van Cong

Erschienen in: The Journal of Supercomputing | Ausgabe 15/2023

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Improving and enhancing the effectiveness of software vulnerability detection methods is urgently needed today. In this study, we propose a new source code vulnerability detection method based on intelligent and advanced computational algorithms. It's a combination of four main processing techniques including (i) Source Embedding, (ii) Feature Learning, (iii) Resampling Data, and (iv) Classification. The Source Embedding method will perform the task of analyzing and standardizing the source code based on the Joern tool and the data mining algorithm. The Feature Learning model has the function of aggregating and extracting source code attribute based on node using machine learning and deep learning methods. The Resampling Data technique will perform equalization of the experimental dataset. Finally, the Classification model has the function of detecting source code vulnerabilities. The novelty and uniqueness of the new intelligent cognitive computing method is the combination and synchronous use of many different data extracting techniques to compute, represent, and extract the properties of the source code. With this new calculation method, many significant unusual properties and features of the vulnerability have been synthesized and extracted. To prove the superiority of the proposed method, we experiment to detect source code vulnerabilities based on the Verum dataset, details of this part are presented in the experimental section. The experimental results show that the method proposed in the paper has brought good results on all measures. These results have shown to be the best research results for the source code vulnerability detection task using the Verum dataset according to our survey to date. With such results, the proposal in this study is not only meaningful in terms of science but also in practical terms when the method of using intelligent cognitive computing techniques to analyze and evaluate source code has helped to improve the efficiency of the source code analysis and vulnerability detection process.

Vorheriger Artikel External-attention dual-modality fusion network for RGBT tracking

Nächster Artikel LoRa DL: a deep learning model for enhancing the data transmission over LoRa using autoencoder

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

“CVE,” 2021, http://cve.mitre.org.

CWE TOP25, https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html.

Lin G, Wen S, Han Q-L, Zhang J, Xiang Y (2020) Software vulnerability detection using deep neural networks: a survey. Proc IEEE 108(10):1825–1848. https://doi.org/10.1109/JPROC.2020.2993293CrossRef

Zeng G, Lin L, Pan YT, Zhang J (2020) Software vulnerability analysis and discovery using deep learning techniques: a survey. IEEE Access 8:197158–197172. https://doi.org/10.1109/ACCESS.2020.3034766CrossRef

Wang H et al (2021) Combining graph-based learning with automated data collection for code vulnerability detection. IEEE Trans Inf Forensics Secur 16:1943–1958. https://doi.org/10.1109/TIFS.2020.3044773CrossRef

Li X, Wang L, Xin Y, Yang Y, Tang Q, Chen Y (2021) Automated software vulnerability detection based on hybrid neural network. Appl Sci 11(7):3201. https://doi.org/10.3390/app11073201CrossRef

H. Wei, M. Li, (2017) Supervised Deep Features For Software Functional Clone Detection By Exploiting Lexical And Syntactical Information In Source Code, In: Proceedings of the TwentySixth International Joint Conference on Artificial Intelligence, pp 3034–3040, Melbourne, Australia

Attaallah A, Alsuhabi H, Shukla S, Kumar R, Gupta B, Khan P, Raees. (2022) Analyzing the big data security through a unified decision-making approach. Intell Autom Soft Comput. 32:1071–1088. https://doi.org/10.32604/iasc.2022.022569CrossRef

Sahu K, Srivastava RK (2021) Predicting software bugs of newly and large datasets through a unified neuro-fuzzy approach: Reliability perspective. Adv Math: Sci J 10:543–555. https://doi.org/10.37418/amsj.10.1.54CrossRef

10.

Sahu K, Al-Zahrani FA, Srivastava RK, Kumar R (2021) Evaluating the impact of prediction techniques: software reliability perspective. Comput Mater Continua 67:1471–1488. https://doi.org/10.32604/cmc.2021.014868CrossRef

11.

Sahu K, Al-Zahrani FA, Srivastava RK, Kumar R (2020) Hesitant fuzzy sets based symmetrical model of decision-making for estimating the durability of web application. Symmetry 12:1–20. https://doi.org/10.3390/sym12111770CrossRef

12.

Sahu K, Srivastava RK (2018) Soft computing approach for prediction of software reliability. ICIC Express Letters. 12:1213–1222. https://doi.org/10.24507/icicel.12.12.1213CrossRef

13.

Zaharia, Sergiu, Traian Rebedea, and Stefan Trausan-Matu. 2022. "Machine Learning-Based Security Pattern Recognition Techniques for Code Developers" Applied Sciences 12, no. 23: 12463. https://doi.org/10.3390/app122312463.

14.

Siewruk G, Mazurczyk W (2021) Context-aware software vulnerability classification using machine learning. IEEE Access 9:88852–88867. https://doi.org/10.1109/ACCESS.2021.3075385CrossRef

15.

Hu J, Chen J, Zhang L, Liu Y, Bao Q, Ackah-Arthur H, Zhang C (2020) A memory-related vulnerability detection approach based on vulnerability features. Tsinghua Sci Technol 25(5):604–613CrossRef

16.

Li X, Wang L, Xin Y, Yang Y, Chen Y (2020) Automated vulnerability detection in source code using minimum intermediate representation learning. Appl Sci 10:1692. https://doi.org/10.3390/app10051692CrossRef

17.

Li, D. Zou, S. Xu et al., (2018) VulDeePecker: a deep learning based system for vulnerability detection

18.

Zheng W, Gao J, Wu X et al (2020) The impact factors on the performance of machine learning-based vulnerability detection: a comparative study. J Syst Softw. https://doi.org/10.1016/j.jss.2020.110659CrossRef

19.

R. Russell et al., (2018) Automated Vulnerability Detection in Source Code Using Deep Representation Learning," In: 2018 17th IEEE International Conference on Machine Learning and Applications (ICMLA), pp 757–762, doi: https://doi.org/10.1109/ICMLA.2018.00120.

20.

Haridas P, Chennupati G, Santhi N, Romero P, Eidenbenz S (2020) Code characterization with graph convolutions and capsule networks. IEEE Access 8:136307–136315. https://doi.org/10.1109/ACCESS.2020.3011909CrossRef

21.

Li Z, Zou D, Tang J, Zhang Z, Sun M, Jin H (2019) A comparative study of deep learning-based vulnerability detection system. IEEE Access 7:103184–103197. https://doi.org/10.1109/ACCESS.2019.2930578CrossRef

22.

Lin G et al (2021) Software vulnerability discovery via learning multi-domain knowledge bases. IEEE Trans Dependable Secure Comput 18(5):2469–2485. https://doi.org/10.1109/TDSC.2019.2954088CrossRef

23.

Yamaguchi F, Lottmann M, Rieck K (2012) Generalized vulnerability extrapolation using abstract syntax trees. Annual Comput Secur Appl Conf 28:358–368

24.

Hugo Gascon,Fabian Yamaguchi,Daniel Arp, Konrad Rieck, "Structural detection of android malware using embedded call graphs," ACM workshop on Artificial intelligence and security, pp. 45–54, 2013.

25.

Jeanne FJ, Warren OD (1989) The program dependence graph and its use in optimization. ACM Trans Programming Languages Syst 9(3):319–349MATH

26.

Fabian Yamaguchi; Nico Golde; Daniel Arp; Konrad Rieck, (2014) "Modeling and Discovering Vulnerabilities with Code Property Graphs," IEEE Symposium on Security and Privacy

27.

Wang, S.; Liu, T.; Tan, L. (2016) Automatically learning semantic features for defect prediction. In: Proceedings of the 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE), Austin, TX, USA, pp 14–22

28.

Lin, G.; Zhang, J.; Luo, W.; Pan, L.; Xiang, Y. (2017) POSTER: Vulnerability Discovery With Function Representation Learning From Unlabeled Projects. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, Dallas, TX, USA, 30 October–3 November

29.

Lin G, Zhang J, Luo W, Pan L, Xiang Y, De Vel O, Montague P (2018) Cross-project transfer representation learning for vulnerable function discovery. IEEE Trans Ind Inform 14:3289–3297CrossRef

30.

Pradel, M.; Sen, K. (2018) DeepBugs: A Learning Approach to Name-Based Bug Detection. In: Proceedings of the ACM on Programming Languages(OOPSLA), Boston, MA, USA, pp 7–9

31.

Bian P, Liang B, Zhang Y, Yang C, Shi W, Cai Y (2018) Detecting bugs by discovering expectations and their violations. IEEE Trans Softw Eng 45:984–1001CrossRef

32.

F. Yamaguchi, A. Maier, H. Gascon, and K. Rieck, (2015) “Automatic inference of search patterns for taint-style vulnerabilities,” In: Proceedings of 2015 IEEE Symposium on Security and Privacy, San Jose, CA, USA, pp 797–812.

33.

S. Liu, G. Lin, L. Qu, J. Zhang, O. De Vel, P. Montague, and Y. Xiang, (2020) ‘‘CD-VulD: Cross-domain vulnerability discovery based on deep domain adaptation, IEEE Trans. Dependable Secure Comput., early access, https://doi.org/10.1109/TDSC.2020.2984505

34.

X. Xu, C. Liu, Q. Feng, H. Yin, L. Song, and D. Song, (2017) ‘‘Neural Network Based Graph Embedding For Cross-Platform Binary Code Similarity Detection,’’ In: Proc. ACM SIGSAC Conf. Comput. Commun. Secur., pp 363–376.

35.

Jacob A. Harer, Louis Y. Kim, Rebecca L. Russell, Onur Ozdemir, Leonard R. Kosta, Akshay Rangamani, Lei H. Hamilton, Gabriel I. Centeno, Jonathan R. Key, Paul M. Ellingwood, Erik Antelman, Alan Mackay, Marc W. McConley, Jeffrey M. Opper, Peter Chin, Tomo , "Automated software vulnerability detection with machine learning," arXiv, 2018. 55.

36.

Z. Li, D. Zou, S. Xu, H. Jin, Y. Zhu and Z. Chen, "SySeVR: A Framework for Using Deep Learning to Detect Software Vulnerabilities," In: IEEE Transactions on Dependable and Secure Computing, doi: https://doi.org/10.1109/TDSC.2021.3051525

37.

Ben-Nun, T.; Jakobovits, A.S.; Hoefler, T. Neural Code Comprehension: A Learnable Representation of Code Semantics. In: Proceedings of the Advances in Neural Information Processing Systems, Montréal, QC, Canada, pp 3–8 December 2018

38.

Yi Li, Shaohua Wang, and Tien N. Nguyen. 2021. Vulnerability detection with fine-grained interpretations. In: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. Association for Computing Machinery, New York, NY, USA, pp 292–303. https://doi.org/10.1145/3468264.3468597.

39.

Saikat Chakraborty, Rahul Krishna, Yangruibo Ding, Baishakhi Ray. Deep Learning based Vulnerability Detection: Are We There Yet? IEEE Transactions on Software Engineering, doi: https://doi.org/10.1109/TSE.2021.3087402.

40.

Download Ffmpeg. https://ffmpeg.org/download.html

41.

Z. Chen, S. Kommrusch and M. Monperrus, "Neural Transfer Learning for Repairing Security Vulnerabilities in C Code," in IEEE Transactions on Software Engineering, vol. 49, no. 1, pp. 147–165, 1 Jan. 2023, doi: https://doi.org/10.1109/TSE.2022.3147265.

42.

Lv X, Peng T, Chen J et al (2022) BovdGFE: buffer overflow vulnerability detection based on graph feature extraction. Appl Intell. https://doi.org/10.1007/s10489-022-04214-8CrossRef

43.

Song Z, Wang J, Liu S, Fang Z, Yang K (2022) HGVul: A code vulnerability detection method based on heterogeneous source-level intermediate representation. Secur Commun Netw 2022:1919907. https://doi.org/10.1155/2022/1919907CrossRef

44.

Wei Tang, Mingwei Tang, Minchao Ban, Ziguo Zhao, Mingjun Feng. 2023 CSGVD: A deep learning approach combining sequence and graph embedding for source code vulnerability detection. Journal of Systems and Software. https://doi.org/10.1016/j.jss.2023.111623.

45.

Lin G, Xiao W, Zhang LY et al (2021) Deep neural-based vulnerability discovery demystified: data, model and performance. Neural Comput & Applic 33:13287–13300. https://doi.org/10.1007/s00521-021-05954-3CrossRef

46.

Sanghoon Jeon , Huy Kang Kim. AutoVAS: An automated vulnerability analysis system with a deep learning approach. Computers and Security.106, C. https://doi.org/10.1016/j.cose.2021.102308.

47.

Semasaba A, Zheng W, Wu X, Agyemang S (2020) Literature survey of deep learning-based vulnerability analysis on source code. IET Software 14:654–664. https://doi.org/10.1049/iet-sen.2020.0084CrossRef

48.

Lin C, Yijia Xu, Fang Y, Liu Z (2023) "VulEye: a novel graph neural network vulnerability detection approach for php application. Applied Sci 13(2):825. https://doi.org/10.3390/app13020825CrossRef

49.

Svozil D, Kvasnicka V, Pospíchal J (1997) Introduction to multi-layer feed-forward neural networks. Chemom Intell Lab Syst 39(1):43–62CrossRef

50.

Thomas N. Kipf, Max Welling (2016) Semi-Supervised Classification with Graph Convolutional Networks. arXiv, arXiv:1609.02907.

51.

Keyulu Xu, Weihua Hu, Jure Leskovec, Stefanie Jegelka (2018) How Powerful are Graph Neural Networks? arXiv, arXiv:1810.00826.

52.

Z Li, W Yang, S Peng, F Liu. A survey of convolutional neural networks: analysis, applications, and prospects. arXiv: 2004.02806.

53.

K O’Shea, R Nash. An introduction to convolutional neural networks.arXiv:1511.08458.

54.

Lin CH, Lin YC, Wu YJ et al (2021) A Survey on Deep Learning-Based Vehicular Communication Applications. J Sign Process Syst 93:369–388. https://doi.org/10.1007/s11265-020-01587-2CrossRef

55.

Ming Chen, Zhewei Wei, Zengfeng Huang, Bolin Ding, Yaliang Li (2021) Simple and Deep Graph Convolutional Networks. arXiv, arXiv:2007.02133v1.

56.

Kishan KC, Rui Li, Feng Cui, Anne Haake (2020) Predicting Biomedical Interactions with Higher-Order Graph Convolutional Networks. arXiv, arXiv:2010.08516.

57.

Muhammet Balcilar, Guillaume Renton et al (2020) Bridging the Gap Between Spectral and Spatial Domains in Graph Neural Networks. arXiv, arXiv:2003.11702.

58.

Julian Busch, Anton Kocheturov, Volker Tresp, Thomas Seidl (2021) NF-GNN: Network Flow Graph Neural Networks for Malware Detection and Classification. arXiv, arXiv:2103.03939.

59.

Goy P, EmilioFerrara, (2018) Graph embedding techniques, applications, and performance: a survey. Knowl-Based Syst 151:78–94. https://doi.org/10.1016/j.knosys.2018.03.022CrossRef

60.

Michael SchlichtkrullThomas N. Kipf, "Modeling Relational Data with Graph Convolutional Networks," Lecture Notes in Computer Science , vol. 10843, 2018.

61.

Catal, C., Akbulut, A., Ekenoglu, E., Alemdaroglu, M. (2017). Development of a Software Vulnerability Prediction Web Service Based on Artificial Neural Networks . In: Kang, U., Lim, EP., Yu, J., Moon, YS. (eds) Trends and Applications in Knowledge Discovery and Data Mining. PAKDD 2017. Lecture Notes in Computer Science(), vol 10526. Springer, Cham. https://doi.org/10.1007/978-3-319-67274-8_6.

62.

Ramchoun H, Idrissi MAJ, Ghanou Y, Ettaouil M (2016) Multilayer perceptron: architecture optimization and training. Int J Interact Multimed Artif Intell 4(1):26–29

63.

E. Hoffer and N. Ailon, (2015) Deep metric learning using triplet network,” In International Workshop on Similarity-Based Pattern Recognition. Springer, pp 84–92.

64.

https://joern.io/

65.

Nitesh VC, Kevin WB, Lawrence OH (2002) SMOTE : synthetic minority over-sampling technique. J Artif Intell Res 16(1):321–357

66.

Schroff F, Kalenichenko D, Philbin J (2015) FaceNet: A unified embedding for face recognition and clustering. IEEE Conference on Computer Vision and Pattern Recognition (CVPR) 2015:815–823. https://doi.org/10.1109/CVPR.2015.7298682CrossRef

67.

Cho DX, Son VN, Duc D (2022) Automatically Detect Software Security Vulnerabilities Based on Natural Language Processing Techniques and Machine Learning Algorithms. Journal of ICT Research and Applications 16(1):70–87. https://doi.org/10.5614/itbj.ict.res.appl.2022.16.1.5CrossRef

Titel: A novel approach for software vulnerability detection based on intelligent cognitive computing
verfasst von: Cho Do Xuan
Dao Hoang Mai
Ma Cong Thanh
Bui Van Cong
Publikationsdatum: 05.05.2023
Verlag: Springer US
Erschienen in: The Journal of Supercomputing / Ausgabe 15/2023
Print ISSN: 0920-8542
Elektronische ISSN: 1573-0484
DOI: https://doi.org/10.1007/s11227-023-05282-4

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Weitere Artikel der Ausgabe 15/2023

PCGC: a performance compact graph compiler based on multilevel fusion-splitting rules

Teaching quality monitoring and evaluation of physical education teaching in ordinary college based on edge computing optimization model

Four-dimensional trust propagation model for improving the accuracy of recommender systems

An improved opposition-based Runge Kutta optimizer for multilevel image thresholding

An efficient certificateless group signcryption scheme using Quantum Chebyshev Chaotic Maps in HC-IoT environments

Dynamic resource allocation scheme for mobile edge computing

Premium Partner