Graph neural network based approach to automatically assigning common weakness enumeration identifiers for vulnerabilities

IF 3.9 4区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
Peng Liu, Wenzhe Ye, Haiying Duan, Xianxian Li, Shuyi Zhang, Chuanjian Yao, Yongnan Li
{"title":"Graph neural network based approach to automatically assigning common weakness enumeration identifiers for vulnerabilities","authors":"Peng Liu, Wenzhe Ye, Haiying Duan, Xianxian Li, Shuyi Zhang, Chuanjian Yao, Yongnan Li","doi":"10.1186/s42400-023-00160-1","DOIUrl":null,"url":null,"abstract":"Abstract Vulnerability reports are essential for improving software security since they record key information on vulnerabilities. In a report, CWE denotes the weakness of the vulnerability and thus helps quickly understand the cause of the vulnerability. Therefore, CWE assignment is useful for categorizing newly discovered vulnerabilities. In this paper, we propose an automatic CWE assignment method with graph neural networks. First, we prepare a dataset that contains 3394 real world vulnerabilities from Linux, OpenSSL, Wireshark and many other software programs. Then, we extract statements with vulnerability syntax features from these vulnerabilities and use program slicing to slice them according to the categories of syntax features. On top of slices, we represent these slices with graphs that characterize the data dependency and control dependency between statements. Finally, we employ the graph neural networks to learn the hidden information from these graphs and leverage the Siamese network to compute the similarity between vulnerability functions, thereby assigning CWE IDs for these vulnerabilities. The experimental results show that the proposed method is effective compared to existing methods.","PeriodicalId":36402,"journal":{"name":"Cybersecurity","volume":"34 9","pages":"0"},"PeriodicalIF":3.9000,"publicationDate":"2023-11-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Cybersecurity","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1186/s42400-023-00160-1","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Abstract Vulnerability reports are essential for improving software security since they record key information on vulnerabilities. In a report, CWE denotes the weakness of the vulnerability and thus helps quickly understand the cause of the vulnerability. Therefore, CWE assignment is useful for categorizing newly discovered vulnerabilities. In this paper, we propose an automatic CWE assignment method with graph neural networks. First, we prepare a dataset that contains 3394 real world vulnerabilities from Linux, OpenSSL, Wireshark and many other software programs. Then, we extract statements with vulnerability syntax features from these vulnerabilities and use program slicing to slice them according to the categories of syntax features. On top of slices, we represent these slices with graphs that characterize the data dependency and control dependency between statements. Finally, we employ the graph neural networks to learn the hidden information from these graphs and leverage the Siamese network to compute the similarity between vulnerability functions, thereby assigning CWE IDs for these vulnerabilities. The experimental results show that the proposed method is effective compared to existing methods.

Abstract Image

基于图神经网络的漏洞公共枚举标识符自动分配方法
漏洞报告记录了漏洞的关键信息,是提高软件安全性的重要手段。在报告中,CWE表示漏洞的弱点,从而有助于快速了解漏洞的原因。因此,CWE分配对于对新发现的漏洞进行分类是有用的。本文提出了一种基于图神经网络的CWE自动分配方法。首先,我们准备了一个包含3394个真实世界漏洞的数据集,这些漏洞来自Linux、OpenSSL、Wireshark和许多其他软件程序。然后,我们从这些漏洞中提取具有漏洞语法特征的语句,并根据语法特征的类别使用程序切片对其进行切片。在片之上,我们用图表示这些片,这些图描述了语句之间的数据依赖关系和控制依赖关系。最后,我们利用图神经网络从这些图中学习隐藏信息,并利用Siamese网络计算漏洞函数之间的相似度,从而为这些漏洞分配CWE id。实验结果表明,与现有方法相比,该方法是有效的。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
Cybersecurity
Cybersecurity Computer Science-Information Systems
CiteScore
7.30
自引率
0.00%
发文量
77
审稿时长
9 weeks
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信