检索结果-内蒙古大学图书馆

IEEE International Symposium on Circuits and Systems (ISCAS)

作者： Du, Gewangzi Chen, Liwei Wu, Tongshuai Zheng, Xiong Shi, Gang Chinese Acad Sci Inst Informat Engn Beijing Peoples R China Univ Chinese Acad Sci Sch Cyber Secur Beijing Peoples R China

ISBN: (纸本)9798350330991;9798350331004

Deep learning is becoming an important means to detect source code vulnerabilities. However, the most severe problem is the compromise of detection performance when there is a scarcity of labeled data. Researchers employed transfer learning skills to solve the problem but existing approaches utilised limited information, which failed to contain various of vulnerability patterns. The code property graph (CPG), which encapsulates abundant syntax and semantic information, is able to accommodate more vulnerability patterns. In this paper, we propose the first CPG-based cross-domain vulnerability detection system which includes an approach to represent the CPG of code snippet into vector. A deep fusion model is devised to generate the fused deep features;Moreover, we extend a metric learning algorithm to reduce data distributions from different domains. Experimental results prove our system is much more effective compared with other state-of-the-art cross-domain approaches.

关键词： vulnerability detection cross-domain code property graph feature fusion cyber security

来源：评论

学校读者我要写书评

暂无评论

REMS: Recommending Extract Method Refactoring Opportunities via Multi-view Representation of code property graph 31

REMS: Recommending Extract Method Refactoring Opportunities ...

引用

31st IEEE/ACM International Conference on Program Comprehension (ICPC)

作者： Cui, Di Wang, Qiangqiang Wang, Siqi Chi, Jianlei Li, Jianan Wang, Lu Li, Qingshan Xidian Univ Sch Comp Sci & Technol Xian 710071 Peoples R China

ISBN: (纸本)9798350337501

Extract Method is one of the most frequently performed refactoring operations for the decomposition of large and complex methods, which can also be combined with other refactoring operations to remove a variety of design flaws. Several Extract Method refactoring tools have been proposed based on the quantification of extraction criteria. To the best of our knowledge, state-of-the-art related techniques can be broadly divided into two categories: the first line is non-machine-learning-based approaches built on heuristics, and the second line is machine learning-based approaches built on historical data. Most of these approaches characterize the extraction criteria by deriving software metrics from fine-grained code properties. However, in most cases, these metrics can be challenging to concretize, and their selections and thresholds also largely rely on expert knowledge. Thus, in this paper, we propose an approach to automatically recommend Extract Method refactoring opportunities named REMS via mining multi-view representations from code property graph. We fuse various representations together using compact bilinear pooling and further train machine learning classifiers to guide the extraction of suitable lines of code as new method. We evaluate our approach on two publicly available datasets. The results show that our approach outperforms five state-of-the-art refactoring tools including GEMS, JExtract, SEMI, JDeodorant, and Segmentation in effectiveness and usefulness. Our approach demonstrates an increase of 29% in precision, 15% in recall, and 23% in f1-measure. The results also unveil practical suggestions and provide new insights that benefit additional extract-related refactoring techniques.

关键词： Extract Method Refactoring code property graph Representation Learning

来源：评论

学校读者我要写书评

暂无评论

What Makefile? Detecting Compiler Information Without Source Using The code property graph 4

What Makefile? Detecting Compiler Information Without Source...

引用

IEEE 4th International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications (IEEE TPS-ISA)

作者： Deaton, Sean Blue Star & Bogart Associates Columbia MD 21045 USA

ISBN: (纸本)9781665474085

Users frequently lack access to the underlying source code and build artifacts of the programs they use. Without access, uncovering information about programs, such as compiler information or security properties, becomes a difficult task. Various methods exist for static analysis testing on source code languages, but few tools work solely with the executable machine code. This paper proposes constructing the code property graph from a program's lifted machine code to observe structural differences between other executables. We implement our approach with the Binary Ninja Intermediate Language (BNIL) and the graph2vec neural embedding framework to create embedded representations of the graphical properties of the program. Downstream applications, such as supervised machine learning, can then analyze these representations. We demonstrate the effectiveness of our approach by training a supervised random forest classifier on the embedded graphs to determine, at the function level, which compiler, clang or gcc, created the executable the function belongs to. Our results achieved an accuracy of 100% across our testing set of 25,600 samples.

关键词： compiler code property graph static analysis Binary Ninja graph2vec

来源：评论

学校读者我要写书评

暂无评论

CPGBERT: An Effective Model for Defect Detection by Learning Program Semantics via code property graph 21

CPGBERT: An Effective Model for Defect Detection by Learning...

引用

21st IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom)

作者： Liu, Jingqiang Zhu, Xiaoxi Liu, Chaoge Cui, Xiang Liu, Qixu Chinese Acad Sci Inst Informat Engn Beijing Peoples R China Univ Chinese Acad Sci Sch Cyber Secur Beijing Peoples R China Zhongguancun Lab Beijing Peoples R China

ISBN: (纸本)9781665494250

With the increasing complexity of software composition, code defects have become a long-term problem in software security. Traditional static analysis techniques cannot exhaustively enumerate all unsafe modes, and problems such as low path coverage rate brought by dynamic detection techniques make software security vulnerability detection inefficient. Methods based on Natural Language Processing have promoted the research of code defect detection tasks;however, there are problems of insufficient code semantic learning and limited data processing by pre-trained models. To solve these problems, from the perspective of enriching model input semantics and improving the model's ability to process data, based on the Transformer model, we propose a hierarchical compression encoder model CPGBERT to detect whether the target function has defects. By using the regularity of the program context and structure, the program code is sliced for the input-output variables related to the objective function and dependencies on the codes' propagation paths. Extract multiple code property graph information on rich semantics from the sliced program code for graph fusion, and embed the fused code property graph into the model by grouping. During the learning process, the independent hidden layer features are compressed and aggregated to make the model focus on the deep semantic learning of the objective function. The experiment uses the codeXGLUE benchmark dataset and compares 6 kinds of code defect detection models having better performance to perform defect detection and effect evaluation on actual engineering code. The results show that the accuracy of the CPGBERT detection model is 67.97%, which is 5.89% higher than the codeBERT model proposed by Microsoft and 1.35% higher than the state-of-the-art model CoTexT.

关键词： Software Security code Analysis Defect Detection code property graph Natural Language Processing

来源：评论

学校读者我要写书评

暂无评论

CPGVA: code property graph based Vulnerability Analysis by Deep Learning

CPGVA: Code Property Graph based Vulnerability Analysis by D...

引用

10th International Conference on Advanced Infocomm Technology (ICAIT)

作者： Wang Xiaomeng Zhang Tao Wu Runpu Xin Wei Hou Changyu China Informat Technol Secur Evaluat Ctr Beijing Peoples R China China Anhua Technol Ltd Co Beijing Peoples R China

ISBN: (纸本)9781538679364

The vast majority of security breaches encountered recent years are direct result of insecure source code. Therefore, the protection of software critically depends on the identification of security defect in source cod. The development and progress of relative technologies depend on the analysts' understanding of the safety issues and the accumulation of long-term experience, which provides a technical basis for the development of vulnerability analysis, but difficult to meet the growing demand of the code security industry. With the maturity of big data technology, the development of natural language processing, deep learning and data mining technology provided new ideas for vulnerability analysis. This paper exploited deep learning methods to review source code on basis of code property graph. We implemented our approach on public datasets Software Assurance Reference Dataset (SARD) of C/C++ command injection and compared with current popular methods, which proved that the proposed code property graph based vulnerability analysis by deep learning (CPGVA) method outper-formed the state of art deep learning source code defect analysis method with the improvement of about 4.5%, 4.2%, 1.7%, 7.9%, 8.1% respectively in femeasure, precision, false positive rate, true positive rate and false negative rate.

关键词： source code review code property graph deep learning vulnerability analysis stream extraction

来源：评论

学校读者我要写书评

暂无评论

Cloud property graph: Connecting Cloud Security Assessments with Static code Analysis 14

Cloud Property Graph: Connecting Cloud Security Assessments ...

引用

IEEE 14th International Conference on Cloud Computing (CLOUD)

作者： Banse, Christian Kunz, Immanuel Schneider, Angelika Weiss, Konrad Fraunhofer AISEC Garching Germany

ISBN: (纸本)9781665400602

In this paper, we present the Cloud property graph (CloudPG), which bridges the gap between static code analysis and runtime security assessment of cloud services. The CloudPG is able to resolve data flows between cloud applications deployed on different resources, and contextualizes the graph with runtime information, such as encryption settings. To provide a vendorand technology-independent representation of a cloud service's security posture, the graph is based on an ontology of cloud resources, their functionalities and security features. We show, using an example, that our CloudPG framework can be used by security experts to identify weaknesses in their cloud deployments, spanning multiple vendors or technologies, such as AWS, Azure and Kubernetes. This includes misconfigurations, such as publicly accessible storages or undesired data flows within a cloud service, as restricted by regulations such as GDPR.

关键词： cloud security cloud security assessment static code analysis code property graph configuration monitoring

来源：评论

学校读者我要写书评

暂无评论

ADCPG: Classifying JavaScript code property graphs with Explanations for Ad and Tracker Blocking 23

ADCPG: Classifying JavaScript Code Property Graphs with Expl...

引用

30th ACM SIGSAC Conference on Computer and Communications Security (ACM CCS)

作者： Lee, Changmin Son, Sooel Korea Adv Inst Sci & Technol Daejeon South Korea

ISBN: (纸本)9798400700507

Advertising and tracking service (ATS) blocking has been safeguarding the privacy of millions of Internet users from privacy-invasive tracking behaviors. Previous research has proposed using a graph representation that models the structural relationships in loading web resources and then conducting ATS node classification based on this graph representation. However, these context-based ATS classification methods suffer from (1) inconsistent classification due to the varying context in which ATS resources are loaded and (2) a lack of explainability of the classification results, making it difficult to identify the code-level causes for ATS classification. We propose AdCPG, a graph neural network (GNN) framework tailored for ATS classification. Our approach focuses on classifying JavaScript ( JS) content rather than considering the loading context of web resources. Given JS files, AdCPG leverages their code property graphs (CPGs) and conducts graph classification on these CPGs that model the semantic and structural information of these JS files. To provide the explanations for ATS classification, AdCPG highlights the JS code that contributes the most to classifying the JS files into ATS using a GNN explainer. AdCPG achieved an accuracy of 98.75% on the Tranco top-10K websites, demonstrating high performance using only JS content. Upon deployment, AdCPG identified 650 JS files from 500 domains that were not detected by any ATS filter lists and previous ATS classification tools. AdCPG plays a complementary role in identifying ATS resources while providing code-level explanations, which minimizes the engineering effort required to validate ATS classification results.

关键词： web tracking web advertising code property graph graph neural networks explainable AI

来源：评论

学校读者我要写书评

暂无评论

codeSAGE: A multi-feature fusion vulnerability detection approach using code attribute graphs and attention mechanisms

引用

JOURNAL OF INFORMATION SECURITY AND APPLICATIONS 2025年 89卷

作者： Zhang, Guodong Yao, Tianyu Qin, Jiawei Li, Yitao Ma, Qiao Sun, Donghong Shenyang Aerosp Univ Sch Comp Shenyang 110000 Liaoning Peoples R China Tsinghua Univ Inst Network Sci & Cyberspace Beijing 100084 Peoples R China Coordinat Ctr China Natl Comp Network Emergency Response Tech Team Beijing 100029 Peoples R China Liaoning Branch Co Coordinat Ctr China Natl Comp Network Emergency Response Tech Team Dalian 116021 Liaoning Peoples R China

Software supply chain security is a critical aspect of modern computer security, with vulnerabilities being a significant threats. Identifying and patching these vulnerabilities promptly can significantly reduce security risks. Traditional detection methods cannot fully capture the complex structure of source code, leading to low accuracy. The neural network capacity limits machine learning-based methods, hindering effective feature extraction and impacting performance. In this paper, we propose a multi-feature fusion vulnerability detection technique called codeSAGE. The method utilizes the code property graph (CPG)1 to comprehensively display multiple logical structural relationships in the source code and combine it with graphSAGE to aggregate the information of neighboring nodes in CPG to extract local features of the source code. Meanwhile, a Bi-LSTM combined with the attention mechanism is utilized to capture long-range dependencies in the logical structure of the source code and extract global features. The attention mechanism is used to assign weights to the two features, which are then fused to represent the syntactic and semantic information of the source code for vulnerability detection. A method for simplifying the CPG is proposed to mitigate the impact of graph size on model runtime and reduce redundant feature information. Irrelevant nodes are removed by weighting different edge types and filtering nodes exceeding a certain threshold, reducing the CPG size. To verify the effectiveness of codeSAGE, comparative experiments are conducted on the SARD and codeXGLUE datasets. The experimental results show that the CPG size can be reduced by 25%-45% using the simplified method, with an average time reduction of 20% per training round. Detection accuracy reached 99.12% on the SARD dataset and 73.57% on the codeXGLUE dataset, outperforming the comparison methods.

关键词： Software supply chain security code property graph Simplification Vulnerability detection Feature fusion

来源：评论

学校读者我要写书评

暂无评论

A New Framework for Software Vulnerability Detection Based on an Advanced Computing

引用

Computers, Materials & Continua 2024年第6期79卷 3699-3723页

作者： Bui Van Cong Cho Do Xuan Department of Information Technology University of Economics and Technical IndustriesHanoi100000Vietnam Faculty of Information Security Posts and Telecommunications Institute of TechnologyHanoi100000Vietnam

The detection of software vulnerabilities written in C and C++languages takes a lot of attention and interest *** paper proposes a new framework called DrCSE to improve software vulnerability *** uses an intelligent computation technique based on the combination of two methods:Rebalancing data and representation learning to analyze and evaluate the code property graph(CPG)of the source code for detecting abnormal behavior of software *** do that,DrCSE performs a combination of 3 main processing techniques:(i)building the source code feature profiles,(ii)rebalancing data,and(iii)contrastive *** which,the method(i)extracts the source code’s features based on the vertices and edges of the *** method of rebalancing data has the function of supporting the training process by balancing the experimental ***,contrastive learning techniques learn the important features of the source code by finding and pulling similar ones together while pushing the outliers *** experiment part of this paper demonstrates the superiority of the DrCSE Framework for detecting source code security vulnerabilities using the Verum *** a result,the method proposed in the article has brought a pretty good performance in all metrics,especially the Precision and Recall scores of 39.35%and 69.07%,respectively,proving the efficiency of the DrCSE *** performs better than other approaches,with a 5%boost in Precision and a 5%boost in ***,this is considered the best research result for the software vulnerability detection problem using the Verum dataset according to our survey to date.

关键词： Source code vulnerability source code vulnerability detection code property graph feature profile contrastive learning data rebalancing

来源：评论

学校读者我要写书评

暂无评论

Securing code With Context: Enhancing Vulnerability Detection Through Contextualized graph Representations

引用

IEEE ACCESS 2024年 12卷 142101-142126页

作者： Rozi, Muhammad Fakhrur Ban, Tao Ozawa, Seiichi Yamada, Akira Takahashi, Takeshi Inoue, Daisuke Natl Inst Informat & Commun Technol Koganei 1848795 Japan Kobe Univ Grad Sch Engn Kobe 6578501 Japan Kobe Univ Ctr Math & Data Sci Kobe 6578501 Japan

Detecting source code vulnerabilities is a critical challenge in secure software development. Early identification of vulnerabilities ensures that software performance and security remain uncompromised. However, existing vulnerability detection methods often struggle to capture the semantic meaning of source code, particularly for vulnerability types that require a deeper understanding of code flow and context. This work addresses this challenge by introducing ContextCPG, a novel enhancement of the code property graph (CPG) representation. ContextCPG augments the CPG by incorporating additional information about variable names and data types within the source code. Our approach combines natural language processing analysis with graph-based analysis to capture a richer context surrounding the source code, relying on both the structural features of the graph representation and the naming, type, and value of nodes as natural language analysis. These additional features enhance the capability of graph neural network models to capture the semantic meaning of the source code and better detect vulnerabilities. We evaluate ContextCPG by applying it to three selected C/C++ vulnerabilities (buffer overflow, invalid input, and use-after-free) and comparing its performance against CPGs. The evaluation results reveal that ContextCPG consistently outperforms the CPG on all vulnerability types, demonstrating an average accuracy increase of 8%. ContextCPG showcases the value of providing supplementary information within the graph representation, consistently enhancing vulnerability detection efficacy.

关键词： Vulnerability detection code property graph source code representation graph neural network Vulnerability detection code property graph source code representation graph neural network

来源：评论

学校读者我要写书评

暂无评论

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案：

请选择收藏分类：

通借通还

建议与咨询 留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

时间限定

文献类型

馆藏选择

核心期刊

语言

文献类型

帮助

文字说明：

检索规则说明：

检索范例：

分类表

所选分类

限定检索结果

文献类型

馆藏范围

日期分布

学科分类号

主题

机构

作者

语言

请选择保存的检索档案： 新增检索档案 确定 取消

请选择收藏分类： 新增自定义分类 确定 取消

通借通还

建议与咨询留下您的常用邮箱和电话号码，以便我们向您反馈解决方案和替代方法

请选择保存的检索档案：

请选择收藏分类：