Intelligent detection of vulnerable functions in software through neural embedding-based code analysis

IF 1.5 4区 计算机科学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS
Peng Zeng, Guanjun Lin, Jun Zhang, Ying Zhang
{"title":"Intelligent detection of vulnerable functions in software through neural embedding-based code analysis","authors":"Peng Zeng,&nbsp;Guanjun Lin,&nbsp;Jun Zhang,&nbsp;Ying Zhang","doi":"10.1002/nem.2198","DOIUrl":null,"url":null,"abstract":"<div>\n \n <p>Software vulnerability is a fundamental problem in cybersecurity, which poses severe threats to the secure operation of devices and systems. In this paper, we propose a new vulnerability detection framework of employing advanced neural embedding. For example, CodeBERT is a large-scale pre-trained embedding model for natural language and programming language. It achieves state-of-the-art performance on various natural language processing and code analysis tasks, demonstrating improved generalization ability compared with conventional models. The proposed framework encapsulates CodeBERT as a code representation generator and combines it with transfer learning to conduct cross-project vulnerability detection. Considering the problem of lacking code embedding models on C source code, we extract the knowledge from C source code to fine-tune the pre-trained embedding model, so as to better facilitate the detection of function-level vulnerabilities in C open-source projects. To address the severe data imbalance issue in real-world scenarios, we introduce code argumentation idea and use a large number of synthetic vulnerability data to further improve the robustness of the detection method. Experimental results show that the proposed vulnerability detection framework achieves better performance than existing methods.</p>\n </div>","PeriodicalId":14154,"journal":{"name":"International Journal of Network Management","volume":"33 3","pages":""},"PeriodicalIF":1.5000,"publicationDate":"2022-03-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"International Journal of Network Management","FirstCategoryId":"94","ListUrlMain":"https://onlinelibrary.wiley.com/doi/10.1002/nem.2198","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 1

Abstract

Software vulnerability is a fundamental problem in cybersecurity, which poses severe threats to the secure operation of devices and systems. In this paper, we propose a new vulnerability detection framework of employing advanced neural embedding. For example, CodeBERT is a large-scale pre-trained embedding model for natural language and programming language. It achieves state-of-the-art performance on various natural language processing and code analysis tasks, demonstrating improved generalization ability compared with conventional models. The proposed framework encapsulates CodeBERT as a code representation generator and combines it with transfer learning to conduct cross-project vulnerability detection. Considering the problem of lacking code embedding models on C source code, we extract the knowledge from C source code to fine-tune the pre-trained embedding model, so as to better facilitate the detection of function-level vulnerabilities in C open-source projects. To address the severe data imbalance issue in real-world scenarios, we introduce code argumentation idea and use a large number of synthetic vulnerability data to further improve the robustness of the detection method. Experimental results show that the proposed vulnerability detection framework achieves better performance than existing methods.

Abstract Image

通过基于神经嵌入的代码分析,智能检测软件中的脆弱功能
软件漏洞是网络安全中的一个根本问题,对设备和系统的安全运行构成严重威胁。在本文中,我们提出了一个新的漏洞检测框架,采用先进的神经嵌入。例如,CodeBERT是一个用于自然语言和编程语言的大规模预训练嵌入模型。它在各种自然语言处理和代码分析任务上实现了最先进的性能,与传统模型相比,它的泛化能力有所提高。所提出的框架将CodeBERT封装为代码表示生成器,并将其与迁移学习相结合,以进行跨项目漏洞检测。考虑到C源代码缺乏代码嵌入模型的问题,我们从C源代码中提取知识,对预先训练的嵌入模型进行微调,以更好地帮助检测C开源项目中的功能级漏洞。为了解决现实场景中严重的数据不平衡问题,我们引入了代码论证思想,并使用大量的合成漏洞数据来进一步提高检测方法的稳健性。实验结果表明,所提出的漏洞检测框架比现有方法具有更好的性能。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
International Journal of Network Management
International Journal of Network Management COMPUTER SCIENCE, INFORMATION SYSTEMS-TELECOMMUNICATIONS
CiteScore
5.10
自引率
6.70%
发文量
25
审稿时长
>12 weeks
期刊介绍: Modern computer networks and communication systems are increasing in size, scope, and heterogeneity. The promise of a single end-to-end technology has not been realized and likely never will occur. The decreasing cost of bandwidth is increasing the possible applications of computer networks and communication systems to entirely new domains. Problems in integrating heterogeneous wired and wireless technologies, ensuring security and quality of service, and reliably operating large-scale systems including the inclusion of cloud computing have all emerged as important topics. The one constant is the need for network management. Challenges in network management have never been greater than they are today. The International Journal of Network Management is the forum for researchers, developers, and practitioners in network management to present their work to an international audience. The journal is dedicated to the dissemination of information, which will enable improved management, operation, and maintenance of computer networks and communication systems. The journal is peer reviewed and publishes original papers (both theoretical and experimental) by leading researchers, practitioners, and consultants from universities, research laboratories, and companies around the world. Issues with thematic or guest-edited special topics typically occur several times per year. Topic areas for the journal are largely defined by the taxonomy for network and service management developed by IFIP WG6.6, together with IEEE-CNOM, the IRTF-NMRG and the Emanics Network of Excellence.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信