Vulmg: A Static Detection Solution For Source Code Vulnerabilities Based On Code Property Graph and Graph Attention Network

Abstract

As the number of vulnerabilities continues to rise, security incidents triggered by vulnerabilities emerge endlessly. Current vulnerability detection methods still have some problems, such as detecting only a single function, relying heavily on expert knowledge, and being unable to achieve automation. According to the observation of the Juliet dataset, we find vulnerability exists not only within the single function but also between the called function and the calling function. Meanwhile, there are some differences between vulnerable functions and non-vulnerable functions in the code property graph. Therefore, this article proposes a vulnerability detection solution named VULMG, which converts vulnerability detection into the graph classification problem. VULMG includes a vectorization component named VecG and a deep learning classification model named MGGAT. Based on the code property graph, VecG extracts the lexical, grammatical, and semantic information of the source code as a feature matrix and extracts information such as structure, control, and dependence as three adjacency matrices. MGGAT is a deep learning model based on the graph attention network, which is used for graph classification. Besides, VULMG uses the FCG to associate the calling function with the called function so that it can detect the cross-function vulnerabilities. We selected CWE369 and CWE476 from the Juliet dataset for testing, and the F1 scores were 94.43% and 96.3%. The evaluation results indicate that VULMG outperforms Flawfinder, RATS, BiLSTM, SVM, and GCN, which verifies the effectiveness of the proposed solution.