Silent Vulnerability-fixing Commit Identification Based on Graph Neural
Networks
- URL: http://arxiv.org/abs/2309.08225v1
- Date: Fri, 15 Sep 2023 07:51:39 GMT
- Title: Silent Vulnerability-fixing Commit Identification Based on Graph Neural
Networks
- Authors: Hieu Dinh Vo, Thanh Trong Vu, and Son Nguyen
- Abstract summary: VFFINDER is a graph-based approach for automated silent vulnerability fix identification.
VFFINDER distinguishes vulnerability-fixing commits from non-fixing ones using attention-based graph neural network models.
Our results show that VFFINDER significantly improves the state-of-the-art methods by 272-420% in Precision, 22-70% in Recall, and 3.2X-8.2X in F1.
- Score: 4.837912059099674
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: The growing dependence of software projects on external libraries has
generated apprehensions regarding the security of these libraries because of
concealed vulnerabilities. Handling these vulnerabilities presents difficulties
due to the temporal delay between remediation and public exposure. Furthermore,
a substantial fraction of open-source projects covertly address vulnerabilities
without any formal notification, influencing vulnerability management.
Established solutions like OWASP predominantly hinge on public announcements,
limiting their efficacy in uncovering undisclosed vulnerabilities. To address
this challenge, the automated identification of vulnerability-fixing commits
has come to the forefront. In this paper, we present VFFINDER, a novel
graph-based approach for automated silent vulnerability fix identification.
VFFINDER captures structural changes using Abstract Syntax Trees (ASTs) and
represents them in annotated ASTs. To precisely capture the meaning of code
changes, the changed code is represented in connection with the related
unchanged code. In VFFINDER, the structure of the changed code and related
unchanged code are captured and the structural changes are represented in
annotated Abstract Syntax Trees (aAST). VFFINDER distinguishes
vulnerability-fixing commits from non-fixing ones using attention-based graph
neural network models to extract structural features expressed in aASTs. We
conducted experiments to evaluate VFFINDER on a dataset of 11K+ vulnerability
fixing commits in 507 real-world C/C++ projects. Our results show that VFFINDER
significantly improves the state-of-the-art methods by 272-420% in Precision,
22-70% in Recall, and 3.2X-8.2X in F1. Especially, VFFINDER speeds up the
silent fix identification process by up to 121% with the same effort reviewing
50K LOC compared to the existing approaches.
Related papers
- Exploring Automatic Cryptographic API Misuse Detection in the Era of LLMs [60.32717556756674]
This paper introduces a systematic evaluation framework to assess Large Language Models in detecting cryptographic misuses.
Our in-depth analysis of 11,940 LLM-generated reports highlights that the inherent instabilities in LLMs can lead to over half of the reports being false positives.
The optimized approach achieves a remarkable detection rate of nearly 90%, surpassing traditional methods and uncovering previously unknown misuses in established benchmarks.
arXiv Detail & Related papers (2024-07-23T15:31:26Z) - Coarse-to-Fine Proposal Refinement Framework for Audio Temporal Forgery Detection and Localization [60.899082019130766]
We introduce a frame-level detection network (FDN) and a proposal refinement network (PRN) for audio temporal forgery detection and localization.
FDN aims to mine informative inconsistency cues between real and fake frames to obtain discriminative features that are beneficial for roughly indicating forgery regions.
PRN is responsible for predicting confidence scores and regression offsets to refine the coarse-grained proposals derived from the FDN.
arXiv Detail & Related papers (2024-07-23T15:07:52Z) - FoC: Figure out the Cryptographic Functions in Stripped Binaries with LLMs [54.27040631527217]
We propose a novel framework called FoC to Figure out the Cryptographic functions in stripped binaries.
FoC-BinLLM outperforms ChatGPT by 14.61% on the ROUGE-L score.
FoC-Sim outperforms the previous best methods with a 52% higher Recall@1.
arXiv Detail & Related papers (2024-03-27T09:45:33Z) - Vignat: Vulnerability identification by learning code semantics via
graph attention networks [6.433019933439612]
We propose textitVignat, a novel attention-based framework for identifying vulnerabilities by learning graph-level semantic representations of code.
We represent codes with code property graphs (CPGs) in fine grain and use graph attention networks (GATs) for vulnerability detection.
arXiv Detail & Related papers (2023-10-30T22:31:38Z) - CompVPD: Iteratively Identifying Vulnerability Patches Based on Human Validation Results with a Precise Context [16.69634193308039]
It is challenging to apply security patches in open source software timely because notifications of patches are often incomplete and delayed.
We propose a multi-granularity slicing algorithm and an adaptive-expanding algorithm to accurately identify code related to the patches.
We empirically compare CompVPD with four state-of-the-art/practice (SOTA) approaches in identifying vulnerability patches.
arXiv Detail & Related papers (2023-10-04T02:08:18Z) - VFFINDER: A Graph-based Approach for Automated Silent Vulnerability-Fix
Identification [4.837912059099674]
VFFINDER is a graph-based approach for automated silent vulnerability fix identification.
It distinguishes vulnerability-fixing commits from non-fixing ones using attention-based graph neural network models.
Our results show that VFFINDER significantly improves the state-of-the-art methods by 39-83% in Precision, 19-148% in Recall, and 30-109% in F1.
arXiv Detail & Related papers (2023-09-05T05:55:18Z) - Multi-Granularity Detector for Vulnerability Fixes [13.653249890867222]
We propose MiDas (Multi-Granularity Detector for Vulnerability Fixes) to identify vulnerability-fixing commits.
MiDas constructs different neural networks for each level of code change granularity, corresponding to commit-level, file-level, hunk-level, and line-level.
MiDas outperforms the current state-of-the-art baseline in terms of AUC by 4.9% and 13.7% on Java and Python-based datasets.
arXiv Detail & Related papers (2023-05-23T10:06:28Z) - VELVET: a noVel Ensemble Learning approach to automatically locate
VulnErable sTatements [62.93814803258067]
This paper presents VELVET, a novel ensemble learning approach to locate vulnerable statements in source code.
Our model combines graph-based and sequence-based neural networks to successfully capture the local and global context of a program graph.
VELVET achieves 99.6% and 43.6% top-1 accuracy over synthetic data and real-world data, respectively.
arXiv Detail & Related papers (2021-12-20T22:45:27Z) - Software Vulnerability Detection via Deep Learning over Disaggregated
Code Graph Representation [57.92972327649165]
This work explores a deep learning approach to automatically learn the insecure patterns from code corpora.
Because code naturally admits graph structures with parsing, we develop a novel graph neural network (GNN) to exploit both the semantic context and structural regularity of a program.
arXiv Detail & Related papers (2021-09-07T21:24:36Z) - Multi-context Attention Fusion Neural Network for Software Vulnerability
Identification [4.05739885420409]
We propose a deep learning model that learns to detect some of the common categories of security vulnerabilities in source code efficiently.
The model builds an accurate understanding of code semantics with a lot less learnable parameters.
The proposed AI achieves 98.40% F1-score on specific CWEs from the benchmarked NIST SARD dataset.
arXiv Detail & Related papers (2021-04-19T11:50:36Z) - Suppressing Uncertainties for Large-Scale Facial Expression Recognition [81.51495681011404]
This paper proposes a simple yet efficient Self-Cure Network (SCN) which suppresses the uncertainties efficiently and prevents deep networks from over-fitting uncertain facial images.
Results on public benchmarks demonstrate that our SCN outperforms current state-of-the-art methods with textbf88.14% on RAF-DB, textbf60.23% on AffectNet, and textbf89.35% on FERPlus.
arXiv Detail & Related papers (2020-02-24T17:24:36Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.