基于雙向數(shù)據(jù)流分析與圖抽象嵌入的漏洞檢測方法

打開文本圖片集

關(guān)鍵詞：深度學(xué)習(xí)；漏洞檢測；數(shù)據(jù)流分析；圖神經(jīng)網(wǎng)絡(luò)；網(wǎng)絡(luò)安全

中圖分類號：TP319 文獻(xiàn)標(biāo)志碼：A 文章編號：1001-3695（2025）07-034-2176-08

doi：10.19734/j. issn.1001-3695.2024.10.0436

Abstract：Ascyberatacksandcybercrimesbecome increasinglysevere，theaccuracyandcomprehensivenessofsoftware vulnerabilitydetection faces significant challenges.To addressissuessuch as the dificultyofcapturing complex semanticsof interproceduralVulnerabilies，theincompleteanalysisofdataflowinformation，andthechallengesinextractingvulnerability paternfeatures，thispaperintroducedabidirectionaldataflowanalysis vulnerabilitydetectionmethodbasedonLLVMIRand Bi-GGNN—BiG-BiD（Bi-GGNNbasedonbidirectionalDFA）.Firstly，it generatedLLVMIRbycompiling sourcecode with LLVM，andconstructedanICFG（interproceduralcontrolflowgaph）toincorporateinterproceduralvulnerabilitysemantics.In addition，this paper proposeda novelICFG abstract embedding method，called DLAE （DFA line-level abstract embedding）， combiningabstractdataflowwithLLVMIRline-levelvulnerabilityfeatureembeddngtoaccuratelyrepresenpotentialvulnerabilitypatersinhecode.Finally，ittrainedBi-GGNNtodynamicallsimulatereachingdefinitionanalysisandlivevariable analysis withintheICFG，enableddynamic propagationandupdatingof abstractdataflows.ExperimentalresultsontheBigVul and Reveal public datasets show that BiG-BiD achieves a recall rate of 73.7% ，outperforming existing static analysis tools and deep learning-based vulnerability detection models by 5%～38% . Additionally，this method successfully detects 23 CVE vulnerabilitiesacrossfouropen-source projects，，thathaveneverseenbefore，，1Oof the vulnerabilitiesremainunpatched，demonstrating the effctivenessand generalization of the proposed method on vulnerability detection tasks.

KeyWords：deep learning；vulnerability detection；data flow analysis；GNN；cyber security

0 引言

近年來，高級持續(xù)性威脅（APT）攻擊頻發(fā)"，網(wǎng)絡(luò)空間安全已然成為國家安全不可或缺的核心部分，更是推動新時代經(jīng)濟高質(zhì)量發(fā)展的戰(zhàn)略基石。（剩余19121字）