[go: up one dir, main page]
More Web Proxy on the site http://driver.im/ Skip to main content
Springer Nature Link
Log in

Searching for Software Vulnerabilities Using an Ensemble of Algorithms for the Analysis of a Graph Representation of the Code

  • Published:
Automatic Control and Computer Sciences Aims and scope Submit manuscript

Abstract

This article analyzes the existing methods for searching for software vulnerabilities. For methods using deep learning models on a graph representation of the code, the problem of imaginary relationships between procedures is formulated, which complicates their application to code analysis problems. To solve the formulated problem, an iterative method is proposed based on an ensemble of algorithms for analyzing the graph representation of the code. The method relies on a step-by-step narrowing of the set of code sections under consideration to increase the efficiency of using highly computationally complex methods. For the proposed method, a prototype of a system for searching for vulnerabilities for programs based on the .NET platform is presented, tested on a sample of NIST SARD and software with a large amount of code.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
£29.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (United Kingdom)

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.

REFERENCES

  1. Statistics of revealed vulnerabilities of software cvedetails. https://www.cvedetails.com/browse-by-date.php. Cited May 14, 2023.

  2. NIST Database of software vulnerabilities. https://nvd.nist.gov/vuln. Cited May 14, 2023.

  3. Pavlenko, E.Yu. and Lemets, A.A., Etherium smart contracts security analysis, Probl. Inf. Bezopasnosti. Komp’yuternye Sist., 2019, no. 2, pp. 100–106.

  4. Kaur, A. and Nayyar, R., A comparative study of static code analysis tools for vulnerability detection in C/C++ and Java source code, Procedia Comput. Sci., 2020, vol. 171, pp. 2023–2029. https://doi.org/10.1016/j.procs.2020.04.217

    Article  Google Scholar 

  5. Borzacchiello, L., Coppa, E., and Demetrescu, C., FUZZOLIC: Mixing fuzzing and concolic execution, Comput. Secur., 2021, vol. 108, p. 102368. https://doi.org/10.1016/j.cose.2021.102368

    Article  Google Scholar 

  6. Amin, A., Eldessouki, A., Magdy, M.T., Abdeen, N., Hindy, H., and Hegazy, I., AndroShield: Automated Android applications vulnerability detection, a hybrid static and dynamic analysis approach, Information, 2019, vol. 10, no. 10, p. 326. https://doi.org/10.3390/info10100326

    Article  Google Scholar 

  7. Ovasapyan, T.D., Knyazev, P.V., and Moskvin, D.A., Application of taint analysis to study the safety of software of the internet of things devices based on the arm architecture, Autom. Control Comput. Sci., 2020, vol. 54, no. 8, pp. 834–840. https://doi.org/10.3103/s0146411620080246

    Article  Google Scholar 

  8. Lin, G., Wen, S., Han, Q., Zhang, J., and Xiang, Ya., Software vulnerability detection using deep neural networks: A survey, Proc. IEEE, 2020, vol. 108, no. 10, pp. 1825–1848. https://doi.org/10.1109/jproc.2020.2993293

    Article  Google Scholar 

  9. Chalupa, M. and Strejček, J., Backward symbolic execution with loop folding, Static Analysis, Lecture Notes in Computer Science, vol. 12913, Cham: Springer, 2021, pp. 49–76. https://doi.org/10.1007/978-3-030-88806-0_3

    Book  Google Scholar 

  10. Feng, Z., Guo, D., Tang, D., Duan, N., Feng, X., Gong, M., Shou, L., Qin, B., Liu, T., Jiang, D., and Zhou, M., CodeBERT: A pre-trained model for programming and natural languages, Findings of the Association for Computational Linguistics: EMNLP 2020, Cohn, T., He, Yu., and Liu, Ya., Eds., Association for Computational Linguistics, 2020, pp. 1536–1547. https://doi.org/10.18653/v1/2020.findings-emnlp.139

    Book  Google Scholar 

  11. Yuan, X., Lin, G., Tai, Yo., and Zhang, J., Deep neural embedding for software vulnerability discovery: Comparison and optimization, Secur. Commun. Networks, 2022, vol. 2022, p. 5203217. https://doi.org/10.1155/2022/5203217

    Article  Google Scholar 

  12. Rabheru, R., Hanif, H., and Maffeis, S., DeepTective: Detection of PHP vulnerabilities using hybrid graph neural networks, Proc. 36th Annu. ACM Symp. on Applied Computing, New York: Association for Computing Machinery, 2021, pp. 1687–1690. https://doi.org/10.1145/3412841.3442132

  13. Cao, S., Sun, X., Bo, L., Wei, Yi., and Li, B., BGNN4VD: Constructing bidirectional graph neural-network for vulnerability detection, Inf. Software Technol., 2021, vol. 136, p. 106576. https://doi.org/10.1016/j.infsof.2021.106576

    Article  Google Scholar 

  14. Zhou, Y., Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks, 33rd Conference on Neural Information Processing Systems (NeurIPS 2019), Curran Associates, 2019, vol. 32. https://proceedings.neurips.cc/paper_files/paper/2019/file/49265d2447bc3bbfe9e76306ce40a31f-Paper.pdf.

    Google Scholar 

  15. Nguyen, V.-A., Nguyen, D.Q., Nguyen, V., Le, T., Tran, Q.H., and Phung, D., ReGVD: Revisiting graph neural networks for vulnerability detection, 2022 IEEE/ACM 44th Int. Conf. on Software Engineering: Companion Proc. (ICSE-Companion), Pittsburg, Pa., 2022, IEEE, 2022, pp. 178–182. https://doi.org/10.1109/icse-companion55297.2022.9793807

  16. Kubrin, G.S. and Zegzhda, D.P., Poisk uyazvimostei na osnove primeneniya glubokikh neironnykh setei k grafovomu predstavleniyu koda, Materialy 31-i nauchno-tekhnicheskoi konferentsii. Metody i tekhnicheskie sredstva obespecheniya bezopasnosti informatsii (Proc. 31st Sci.-Tech. Conf.: Methods and Technical Information Security Tools), 2022, pp. 76–77.

  17. Vasil’eva, K.V. and Lavrova, D.S., Detecting anomalies in cyber-physical systems using graph neural networks, Autom. Control Comput. Sci., 2021, vol. 55, no. 8, pp. 1051–1060. https://doi.org/10.3103/s0146411621080320

    Article  Google Scholar 

  18. Izotova, O.A. and Lavrova, D.S., Fake post detection using graph neural networks, Autom. Control Comput. Sci., 2021, vol. 55, no. 8, pp. 1215–1221. https://doi.org/10.3103/s0146411621080393

    Article  Google Scholar 

  19. Ivanov, D., Kalinin, M., Krundyshev, V., and Orel, E., Automatic security management of smart infrastructures using attack graph and risk analysis, 2020 Fourth World Conf. on Smart Trends in Systems, Security and Sustainability (WorldS4), London, 2020, IEEE, 2020, vol. 4, pp. 295–300. https://doi.org/10.1109/worlds450073.2020.9210410

  20. Evain, J., Mono.Cecil library. https://github.com/jbevain/cecil. Cited February 5, 2023.

  21. ECMA-335: Common Language Infrastructure (CLI), 2012, 6th ed. https://www.ecma-international.org/publications-and-standards/standards/ecma-335/. Cited February 13, 2023.

Download references

Funding

This work was supported by ongoing institutional funding. No additional grants to carry out or direct this particular research were obtained.

Author information

Authors and Affiliations

  1. Peter the Great St. Petersburg Polytechnic University, 195251, St. Petersburg, Russia

    G. S. Kubrin & D. P. Zegzhda

Authors
  1. G. S. Kubrin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. D. P. Zegzhda
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to G. S. Kubrin.

Ethics declarations

The authors of this work declare that they have no conflicts of interest.

Additional information

Publisher’s Note.

Allerton Press remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kubrin, G.S., Zegzhda, D.P. Searching for Software Vulnerabilities Using an Ensemble of Algorithms for the Analysis of a Graph Representation of the Code. Aut. Control Comp. Sci. 57, 947–957 (2023). https://doi.org/10.3103/S0146411623080126

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.3103/S0146411623080126

Keywords:

Search

Navigation