Static vulnerability detection based on class separation

Software vulnerability detection is a key step to prevent the system from being attacked. However, tens of thousands of codes have brought great challenges to engineers, so we urgently need an automatic and intelligent vulnerability detection method. The existing vulnerability detection model based on deep learning has the problem that it is difficult to separate the features of vulnerable and neutral code. Based on the code data drive, this paper proposes a static vulnerability detection method SDV(Statically Detecting Vulnerability) for C\C++ programs. SDV is a function-level vulnerability code detection method. This paper uses a code property graph to represent the code and decouples the feature extractor and the classifier. In the graph feature extraction stage, we use Jump Graph Attention Network layers and convolutional pooling layers. Their combination can not only prevent the over-smoothing problem but also separate the sample classes deeply. Finally, on the chrdeb dataset, SDV outperforms state-of-the-art function-level vulnerability detection methods by 52.3%, 15.9%, and 39.6% in Precision, Recall, and F1-Score, respectively. On the real project sard, the number of vulnerabilities detected by SDV is 10.7 times more than Reveal. (c) 2023 Elsevier Inc. All rights reserved.