学习基于图形的补丁表示法以识别和评估无声漏洞修复

Mei Han, Lulu Wang, Jianming Chang, Bixin Li, Chunguang Zhang
{"title":"学习基于图形的补丁表示法以识别和评估无声漏洞修复","authors":"Mei Han, Lulu Wang, Jianming Chang, Bixin Li, Chunguang Zhang","doi":"arxiv-2409.08512","DOIUrl":null,"url":null,"abstract":"Software projects are dependent on many third-party libraries, therefore\nhigh-risk vulnerabilities can propagate through the dependency chain to\ndownstream projects. Owing to the subjective nature of patch management,\nsoftware vendors commonly fix vulnerabilities silently. Silent vulnerability\nfixes cause downstream software to be unaware of urgent security issues in a\ntimely manner, posing a security risk to the software. Presently, most of the\nexisting works for vulnerability fix identification only consider the changed\ncode as a sequential textual sequence, ignoring the structural information of\nthe code. In this paper, we propose GRAPE, a GRAph-based Patch rEpresentation\nthat aims to 1) provide a unified framework for getting vulnerability fix\npatches representation; and 2) enhance the understanding of the intent and\npotential impact of patches by extracting structural information of the code.\nGRAPE employs a novel joint graph structure (MCPG) to represent the syntactic\nand semantic information of fix patches and embeds both nodes and edges.\nSubsequently, a carefully designed graph convolutional neural network (NE-GCN)\nis utilized to fully learn structural features by leveraging the attributes of\nthe nodes and edges. Moreover, we construct a dataset containing 2251 silent\nfixes. For the experimental section, we evaluated patch representation on three\ntasks, including vulnerability fix identification, vulnerability types\nclassification, and vulnerability severity classification. Experimental results\nindicate that, in comparison to baseline methods, GRAPE can more effectively\nreduce false positives and omissions of vulnerability fixes identification and\nprovide accurate vulnerability assessments.","PeriodicalId":501278,"journal":{"name":"arXiv - CS - Software Engineering","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"2024-09-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Learning Graph-based Patch Representations for Identifying and Assessing Silent Vulnerability Fixes\",\"authors\":\"Mei Han, Lulu Wang, Jianming Chang, Bixin Li, Chunguang Zhang\",\"doi\":\"arxiv-2409.08512\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Software projects are dependent on many third-party libraries, therefore\\nhigh-risk vulnerabilities can propagate through the dependency chain to\\ndownstream projects. Owing to the subjective nature of patch management,\\nsoftware vendors commonly fix vulnerabilities silently. Silent vulnerability\\nfixes cause downstream software to be unaware of urgent security issues in a\\ntimely manner, posing a security risk to the software. Presently, most of the\\nexisting works for vulnerability fix identification only consider the changed\\ncode as a sequential textual sequence, ignoring the structural information of\\nthe code. In this paper, we propose GRAPE, a GRAph-based Patch rEpresentation\\nthat aims to 1) provide a unified framework for getting vulnerability fix\\npatches representation; and 2) enhance the understanding of the intent and\\npotential impact of patches by extracting structural information of the code.\\nGRAPE employs a novel joint graph structure (MCPG) to represent the syntactic\\nand semantic information of fix patches and embeds both nodes and edges.\\nSubsequently, a carefully designed graph convolutional neural network (NE-GCN)\\nis utilized to fully learn structural features by leveraging the attributes of\\nthe nodes and edges. Moreover, we construct a dataset containing 2251 silent\\nfixes. For the experimental section, we evaluated patch representation on three\\ntasks, including vulnerability fix identification, vulnerability types\\nclassification, and vulnerability severity classification. Experimental results\\nindicate that, in comparison to baseline methods, GRAPE can more effectively\\nreduce false positives and omissions of vulnerability fixes identification and\\nprovide accurate vulnerability assessments.\",\"PeriodicalId\":501278,\"journal\":{\"name\":\"arXiv - CS - Software Engineering\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2024-09-13\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"arXiv - CS - Software Engineering\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/arxiv-2409.08512\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"arXiv - CS - Software Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/arxiv-2409.08512","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 0

摘要

软件项目依赖于许多第三方库,因此高风险漏洞会通过依赖链向下游项目传播。由于补丁管理的主观性,软件供应商通常会默默修复漏洞。静默修复漏洞会导致下游软件无法及时发现紧急安全问题,从而给软件带来安全风险。目前,大多数用于漏洞修复识别的现有工作都只将改变的代码视为连续的文本序列,而忽略了代码的结构信息。在本文中,我们提出了基于 GRAph 的补丁表示法 GRAPE,其目的是:1)为获取漏洞修复补丁表示法提供一个统一的框架;2)通过提取代码的结构信息,增强对补丁意图和潜在影响的理解。GRAPE 采用一种新颖的联合图结构(MCPG)来表示漏洞补丁的语法和语义信息,并同时嵌入节点和边。此外,我们还构建了一个包含 2251 个静音修复的数据集。在实验部分,我们对三个任务的补丁表示进行了评估,包括漏洞修复识别、漏洞类型分类和漏洞严重性分类。实验结果表明,与基线方法相比,GRAPE 能更有效地减少漏洞修复识别的误报和漏报,并提供准确的漏洞评估。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
Learning Graph-based Patch Representations for Identifying and Assessing Silent Vulnerability Fixes
Software projects are dependent on many third-party libraries, therefore high-risk vulnerabilities can propagate through the dependency chain to downstream projects. Owing to the subjective nature of patch management, software vendors commonly fix vulnerabilities silently. Silent vulnerability fixes cause downstream software to be unaware of urgent security issues in a timely manner, posing a security risk to the software. Presently, most of the existing works for vulnerability fix identification only consider the changed code as a sequential textual sequence, ignoring the structural information of the code. In this paper, we propose GRAPE, a GRAph-based Patch rEpresentation that aims to 1) provide a unified framework for getting vulnerability fix patches representation; and 2) enhance the understanding of the intent and potential impact of patches by extracting structural information of the code. GRAPE employs a novel joint graph structure (MCPG) to represent the syntactic and semantic information of fix patches and embeds both nodes and edges. Subsequently, a carefully designed graph convolutional neural network (NE-GCN) is utilized to fully learn structural features by leveraging the attributes of the nodes and edges. Moreover, we construct a dataset containing 2251 silent fixes. For the experimental section, we evaluated patch representation on three tasks, including vulnerability fix identification, vulnerability types classification, and vulnerability severity classification. Experimental results indicate that, in comparison to baseline methods, GRAPE can more effectively reduce false positives and omissions of vulnerability fixes identification and provide accurate vulnerability assessments.
求助全文
通过发布文献求助,成功后即可免费获取论文全文。 去求助
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信