摘要
当前大部分基于深度学习的漏洞检测模型,通常以整个文件或函数作为输入,检测粒度较粗,存在准确率低下、可扩展性差等挑战.为了应对这些挑战并提升漏洞检测技术的性能,同时针对静态切片方法在发现特定执行条件下的漏洞存在不足的问题,提出了一种基于动态切片与预训练模型的代码漏洞检测方法.通过动态切片获取包含路径特征的语句块,借助CodeBERT预训练模型的语义提取能力将具有语义特征和路径特征的动态切片结果表示成二维张量;将代码结构和语义特征编码成灰度图像中的像素值,借助Swin Transformer的特征提取能力,以此更准确地进行漏洞检测.实验数据表明本文的方法取得了较好的效果,可降低误报率和漏报率,同时提高漏洞检测的准确性和可靠性.
The current majority of deep learning-based vulnerability detection models typically take entire files or functions as input,exhibiting coarse granularity and facing challenges such as low accuracy and poor scalability.In order to overcome these challenges and enhance the performance of vulnerability detection technology,especially addressing the limitations of static slicing methods in identifying vulnerabilities under specific execution conditions,a method based on dynamic slicing and pre-trained models for code vulnerability detection is proposed.Dynamic slicing is employed to obtain statement blocks containing path features,and the semantic extraction capability of the CodeBERT pre-trained model is utilized to represent the dynamic slicing results with both semantic and path features as a two-dimensional tensor.The code structure and semantic features are encoded into pixel values in a grayscale image.Leveraging the feature extraction capabilities of the Swin Transformer,the proposed method allows for more accurate vulnerability detection.Experimental data indicates that the proposed approach achieves favorable results,reducing both false positives and false negatives,thereby improving the accuracy and reliability of vulnerability detection.
作者
嵇友晴
卢跃
潘世文
张迎周
谢金言
JI Youqing;LU Yue;PAN Shiwen;ZHANG Yingzhou;XIE Jinyan(School of Computer Science,Nanjing University of Posts and Telecommunications,Nanjing 210023,China)
出处
《小型微型计算机系统》
CSCD
北大核心
2024年第6期1529-1536,共8页
Journal of Chinese Computer Systems
基金
国家自然科学基金项目(62272214)资助。
