Vulnerability detection based on transformer and high-quality number embedding

IF 1.5 4区计算机科学 Q3 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Concurrency and Computation-Practice & Experience Pub Date : 2024-09-23 DOI:10.1002/cpe.8292

Yang Cao, Yunwei Dong, Jiajie Peng

{"title":"Vulnerability detection based on transformer and high-quality number embedding","authors":"Yang Cao, Yunwei Dong, Jiajie Peng","doi":"10.1002/cpe.8292","DOIUrl":null,"url":null,"abstract":"<div>\n \n <p>Software vulnerability detection is an important problem in software security. In recent years, deep learning offers a novel approach for source code vulnerability detection. Due to the similarities between programming languages and natural languages, many natural language processing techniques have been applied to vulnerability detection tasks. However, specific problems within vulnerability detection tasks, such as buffer overflow, involve numerical reasoning. For these problems, the model needs to not only consider long dependencies and multiple relationships between statements of code but also capture the magnitude property of numerical literals in the program through high-quality number embeddings. Therefore, we propose VDTransformer, a Transformer-based method that improves source code embedding by integrating word and number embeddings. Furthermore, we employ Transformer encoders to construct a hierarchical neural network that extracts semantic features from the code and enables line-level vulnerability detection. To evaluate the effectiveness of the method, we construct a dataset named <i>OverflowGen</i> based on templates for buffer overflow. Experimental comparisons on <i>OverflowGen</i> with a well-known static vulnerability detector and two state-of-the-art deep learning-based methods confirm the effectiveness of VDTransformer and the importance of high-quality number embeddings in vulnerability detection tasks involving numerical features.</p>\n </div>","PeriodicalId":55214,"journal":{"name":"Concurrency and Computation-Practice & Experience","volume":"36 28","pages":""},"PeriodicalIF":1.5000,"publicationDate":"2024-09-23","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Concurrency and Computation-Practice & Experience","FirstCategoryId":"94","ListUrlMain":"https://onlinelibrary.wiley.com/doi/10.1002/cpe.8292","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

Software vulnerability detection is an important problem in software security. In recent years, deep learning offers a novel approach for source code vulnerability detection. Due to the similarities between programming languages and natural languages, many natural language processing techniques have been applied to vulnerability detection tasks. However, specific problems within vulnerability detection tasks, such as buffer overflow, involve numerical reasoning. For these problems, the model needs to not only consider long dependencies and multiple relationships between statements of code but also capture the magnitude property of numerical literals in the program through high-quality number embeddings. Therefore, we propose VDTransformer, a Transformer-based method that improves source code embedding by integrating word and number embeddings. Furthermore, we employ Transformer encoders to construct a hierarchical neural network that extracts semantic features from the code and enables line-level vulnerability detection. To evaluate the effectiveness of the method, we construct a dataset named OverflowGen based on templates for buffer overflow. Experimental comparisons on OverflowGen with a well-known static vulnerability detector and two state-of-the-art deep learning-based methods confirm the effectiveness of VDTransformer and the importance of high-quality number embeddings in vulnerability detection tasks involving numerical features.

查看原文本刊更多论文

基于变压器和高质量数字嵌入的漏洞检测

软件漏洞检测是软件安全领域的一个重要问题。近年来，深度学习为源代码漏洞检测提供了一种新方法。由于编程语言与自然语言的相似性，许多自然语言处理技术已被应用到漏洞检测任务中。然而，漏洞检测任务中的特定问题（如缓冲区溢出）涉及数字推理。对于这些问题，模型不仅需要考虑代码语句之间的长依赖关系和多重关系，还需要通过高质量的数字嵌入来捕捉程序中数字字面的大小属性。因此，我们提出了 VDTransformer，这是一种基于 Transformer 的方法，它通过整合词嵌入和数字嵌入来改进源代码嵌入。此外，我们还利用 Transformer 编码器构建了一个分层神经网络，该网络可从代码中提取语义特征，并实现行级漏洞检测。为了评估该方法的有效性，我们基于缓冲区溢出模板构建了一个名为 OverflowGen 的数据集。在 OverflowGen 上与著名的静态漏洞检测器和两种最先进的基于深度学习的方法进行的实验比较证实了 VDTransformer 的有效性，以及高质量数字嵌入在涉及数字特征的漏洞检测任务中的重要性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Concurrency and Computation-Practice & Experience 工程技术-计算机：理论方法

CiteScore

5.00

自引率

10.00%

发文量

664

审稿时长

9.6 months

期刊介绍： Concurrency and Computation: Practice and Experience (CCPE) publishes high-quality, original research papers, and authoritative research review papers, in the overlapping fields of: Parallel and distributed computing; High-performance computing; Computational and data science; Artificial intelligence and machine learning; Big data applications, algorithms, and systems; Network science; Ontologies and semantics; Security and privacy; Cloud/edge/fog computing; Green computing; and Quantum computing.