Deep Learning Based Model For Detecting Software Vulnerability

Every year,economic and social losses caused by software vulnerabilities have caused huge troubles to people,so how to effectively detect software vulnerabilities has aroused people’s attention.Traditional software vulnerability detection methods are time-consuming and rely on the subjective understanding of vulnerability experts,and researchers have begun to use deep learning technology to explore more efficient software vulnerability detection methods.Current research on software vulnerability detection based on deep learning technology mainly has the following two deficiencies: First,previous studies only focused on the static mode of the vulnerability code and used various ways to formalize the code for feature extraction,ignoring the dynamic flow characteristics of data flow and control flow in the vulnerability code,which contained semantic and structural characteristics of the vulnerability code can improve the effect of software vulnerability detection.This thesis will use the idea of dynamic neural network for modeling,and study how to effectively use the dynamic flow characteristics of vulnerability code to detect software vulnerabilities.Second,most of the current studies only use the characteristics of a single structure(the view of different structural information from different sources is expressed by the term "modal" in this thesie)to study the vulnerability code,such as data characteristics based on sequence structure or graph structure,without in-depth research on multi-structure(modal)fusion.These characteristics can effectively complement each other.Enrich the characterization of vulnerability code.This thesis will consider the dynamic flow characteristics of vulnerability code on the basis of multi-mode fusion research and experimental verification.For the above two points,Dynamic Graph Neural Network Based Method for predicting Software Vulnerability(Vul-DYGNN)and Multi-Modal based Dynamic Perception Method for predicting Software Vulnerability(Vul-MMDP)are proposed in this thesis.We uses the idea of dynamic graph neural network to slice the complete program dependency graph according to node order and divide it into several groups of subgraphs to establish the model of Vul-DYGNN.We regard each subgraph as a "snapshot" at different time points in the discrete dynamic graph neural network,and use the gated graph neural network to train each subgraph respectively to learn its semantic and structural information,and then input it into the long and short term memory network to capture its time dimension information,and finally get the detection result of software vulnerabilities.We further integrates the abstract syntax tree and the control flow graph on the basis of the dependency graph feature extracted by the Vul-DYGNN model,and considers its dynamics from the two modals of sequence structure and graph structure respectively to establish the model of Vul-MMDP.Firstly,the abstract syntax tree of the vulnerability code is converted into a sequence using the sbt algorithm,which can convert the tree structure data into a sequence.The complete sequence is sliced into several groups of short sub-sequences according to the order of nodes.The subsequences are trained by Recurrent Neural Network respectively,and then the results are input into the long and short memory network as the modal features based on sequence structure.Then,for the modal features of the graph structure,we add edges in the control flow graph on the basis of the control-dependent edges and datadependent edges contained in the program dependency graph,and obtain more abundant modal features of the graph structure according to the method of Vul-DYGNN model.Finally,the information of the two modals is fused,and the validity of the model is verified by experiments.The accuracy rate of the model reached 86.6% and the recall rate reached 85.2%In this thesis,experiments are conducted on public dataset and compared with current advanced models.The experimental results show that our model has more advantages in software vulnerability detection tasks.