Graph neural network based approach to automatically assigning common weakness enumeration identifiers for vulnerabilities
Tóm tắt
Vulnerability reports are essential for improving software security since they record key information on vulnerabilities. In a report, CWE denotes the weakness of the vulnerability and thus helps quickly understand the cause of the vulnerability. Therefore, CWE assignment is useful for categorizing newly discovered vulnerabilities. In this paper, we propose an automatic CWE assignment method with graph neural networks. First, we prepare a dataset that contains 3394 real world vulnerabilities from Linux, OpenSSL, Wireshark and many other software programs. Then, we extract statements with vulnerability syntax features from these vulnerabilities and use program slicing to slice them according to the categories of syntax features. On top of slices, we represent these slices with graphs that characterize the data dependency and control dependency between statements. Finally, we employ the graph neural networks to learn the hidden information from these graphs and leverage the Siamese network to compute the similarity between vulnerability functions, thereby assigning CWE IDs for these vulnerabilities. The experimental results show that the proposed method is effective compared to existing methods.
Tài liệu tham khảo
Aivatoglou G, Anastasiadis M, Spanos G, Voulgaridis A, Votis K, Tzovaras D (2021) A tree-based machine learning methodology to automatically classify software vulnerabilities. In: 2021 IEEE International Conference on Cyber Security and Resilience (CSR), pp 312–317
Common Vulnerabilities and Exposures (2023) https://cve.mitre.org/. Accessed on 15 Jan 2023
Common Weakness Enumeration (2023) https://cwe.mitre.org/. Accessed on 15 Jan 2023
Cui L, Hao Z, Jiao Y, Fei H, Yun X (2020) Vuldetector: detecting vulnerabilities using weighted feature graph comparison. IEEE Trans Inf Forensics Secur 16:2004–2017
CVE-2016-2842 (2023) https://www.cvedetails.com/cve/CVE-2016-2842/. Accessed on 15 Jan 2023
CVE-2022-32552 (2023) https://www.cvedetails.com/cve/CVE-2022-32552/. Accessed on 15 Jan 2023
CVE-2022-33936 (2023) https://www.cvedetails.com/cve/CVE-2022-33936/. Accessed on 15 Jan 2023
CVEDetails (2023) https://www.cvedetails.com/. Accessed on 15 Jan 2023
Dam HK, Pham T, Ng SW, Tran T, Grundy J, Ghose A, Kim CJ (2018) A deep tree-based model for software defect prediction. arXiv preprint arXiv:1802.00921
Das SS, Serra E, Halappanavar M, Pothen A, Al-Shaer E (2021) V2w-bert: a framework for effective hierarchical multiclass classification of software vulnerabilities. In: 2021 IEEE 8th International Conference on Data Science and Advanced Analytics (DSAA), pp 1–12
DeLooze LL (2004) Classification of computer attacks using a self-organizing map. In: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, pp 365–369
Fukushima K (1980) A self-organizing neural network model for a mechanism of pattern recognition unaffected by shift in position. Biol Cybern 36:193–202
Joern tool (2023) https://joern.io/. Accessed on 15 Jan 2023
Kipf TN, Welling M (2016) Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907
Lattner C, Adve V (2004) LLVM: a compilation framework for lifelong program analysis & transformation. In: International symposium on code generation and optimization, 2004. CGO, pp 75–86
Le Q, Mikolov T (2014) Distributed representations of sentences and documents. In: International conference on machine learning, pp 1188–1196
Li Z, Zou D, Xu S, Jin H, Zhu Y, Chen Z (2021a) Sysevr: a framework for using deep learning to detect software vulnerabilities. IEEE Trans Dependable Secure Comput 19(4):2244–2258
Li Y, Wang S, Nguyen TN (2021b) Vulnerability detection with fine-grained interpretations. In: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp 292–303
Mikolov T, Chen K, Corrado G, Dean J (2013) Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781
Na S, Kim T, Kim H (2017) A study on the classification of common vulnerabilities and exposures using naïve bayes. In: Advances on Broad-Band Wireless Computing, Communication and Applications: Proceedings of the 11th International Conference On Broad-Band Wireless Computing, Communication and Applications (BWCCA–2016) November 5–7, 2016, Korea, Springer International Publishing, pp 657–662
Neculoiu P, Versteegh M, Rotaru M (2016) Learning text similarity with siamese recurrent networks. In: Proceedings of the 1st Workshop on Representation Learning for NLP, pp 148–157
Neuhaus S, Zimmermann T (2010) Security trend analysis with cve topic models. In: 2010 IEEE 21st International Symposium on Software Reliability Engineering, pp 111–120
Rahman MM, Yeasmin S (2013) Adaptive bug classification for cve list using bayesian probabilistic approach. USask, Saskatoon
Russell SJ (2010) Artificial intelligence a modern approach. Pearson Education, Inc
Shi X, Chen Z, Wang H, Yeung DY, Wong WK, Woo WC (2015) Convolutional LSTM network: A machine learning approach for precipitation nowcasting. Adv Neural Inf Process Syst 28
Sun H, Cui L, Li L, Ding Z, Hao Z, Cui J, Liu P (2021) VDSimilar: vulnerability detection based on code similarity of vulnerabilities and patches. Comput Secur 110:102417
The code static analysis tool Checkmarx (2023) https://checkmarx.com/. Accessed on 15 Jan 2023
Vulncode-db (2023) https://www.vulncode-db.com/. Accessed on 15 Jan 2023
Wang Q, Li Y, Wang Y, Ren J (2022) An automatic algorithm for software vulnerability classification based on CNN and GRU. Multim Tools Appl 81(5):7103–7124
Wita R, Teng-Amnuay Y (2005) Vulnerability profile for linux. In: 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers) Vol 1, pp 953–958
Xiao Y, Chen B, Yu C, Xu Z, Yuan Z, Li F, Shi W (2020) MVP: detecting vulnerabilities using patch-enhanced vulnerability signatures. In: USENIX Security Symposium, pp 1165–1182
Zhou Y, Liu S, Siow J, Du X, Liu Y (2019) Devign: effective vulnerability identification by learning comprehensive program semantics via graph neural networks. Adv Neural Inf Process Syst 32