Research On Software Security Vulnerability Mining Technology Based On Knowledge Graph

With the increasingly complex structure and function of software,software security incidents occur frequently,the national security and social stability are threatened seriously.Therefore,software security issues have been widely concerned by the industry and academia.Vulnerability is one of the root causes of software security problems.Aiming at vulnerability mining and detection,traditional methods have some shortcomings such as time-consuming,labor-intensive and inefficient.Knowledge graph has been successfully applied in various fields,which promotes the development of software security research.Therefore,with the help of knowledge graph technologies,we can better analyze,reason and mine the potential relationship between vulnerability semantics,improve the accuracy of software security vulnerability mining,and reduce the rate of false positives and false negatives.This paper mainly focuses on the following three aspects:(1)Aiming at the problem of low efficiency and high cost of current vulnerability sample data collection,we obtain data from NVD(National Vulnerability Database)and CVE(Common Vulnerabilities&Exposures)vulnerability databases by semi-automatic method assisted by web crawler.Then,the obtained data are preprocessed and classified to acquire samples of common high-risk controllable vulnerabilities such as SQL injection and command injection and so on,which provides a reliable data source for vulnerability knowledge graph.(2)In view of the problems of low utilization rate of vulnerability data,insufficient semantic information,and lack of analysis methods,a method for constructing vulnerability knowledge graph is proposed.Firstly,based on the existing software security data,five different types of entities,namely suppliers,affected products,vulnerabilities,vulnerability types and source codes,are comprehensively considered to construct the software security ontology model.Then,aiming at different types of entities to divide them into software-oriented and source-oriented entities.Software-oriented entities recognition vulnerability text descriptions mainly by the BILSTM-CRF model,and source-oriented entities parse code fragments to obtain relevant entities.In addition,aiming at different types of entities,we perform relationship extraction and knowledge fusion.Finally,the obtained entities and their relationship are stored in the Neo4j graph database.(3)Due to current software security vulnerability mining technology has low precision and high false negatives,a vulnerability mining method based on knowledge graph is proposed.Firstly,CWE chain reasoning is carried out on the vulnerability knowledge graph.A logical and reasonable CWE chain is obtained by the chain confidence calculation formula.The chain reasoning results can provide a reliable basis for the detection and mining of composite vulnerabilities.Then,taking the location of danger function or patch as the starting point,we calculate the similarity between the nodes to be detected and the nodes in the vulnerability database based on similarity matching method of graph.After threshold analysis and comparison,we determine whether there is a vulnerability.Finally,experimental results indicate that the effectiveness and feasibility of the proposed method is effective and feasible than that of other algorithms.Compared with the traditional vulnerability mining tools,the experimental results show that the proposed method has a lower vulnerability rate and false positive rate,and the accuracy is relatively higher.Therefore,it has a wide application value in terms of vulnerability analysis,tracking,source and etc.