基于双向数据流分析与图抽象嵌入的漏洞检测方法

打开文本图片集

关键词：深度学习；漏洞检测；数据流分析；图神经网络；网络安全

中图分类号：TP319 文献标志码：A 文章编号：1001-3695（2025）07-034-2176-08

doi：10.19734/j. issn.1001-3695.2024.10.0436

Abstract：Ascyberatacksandcybercrimesbecome increasinglysevere，theaccuracyandcomprehensivenessofsoftware vulnerabilitydetection faces significant challenges.To addressissuessuch as the dificultyofcapturing complex semanticsof interproceduralVulnerabilies，theincompleteanalysisofdataflowinformation，andthechallengesinextractingvulnerability paternfeatures，thispaperintroducedabidirectionaldataflowanalysis vulnerabilitydetectionmethodbasedonLLVMIRand Bi-GGNN—BiG-BiD（Bi-GGNNbasedonbidirectionalDFA）.Firstly，it generatedLLVMIRbycompiling sourcecode with LLVM，andconstructedanICFG（interproceduralcontrolflowgaph）toincorporateinterproceduralvulnerabilitysemantics.In addition，this paper proposeda novelICFG abstract embedding method，called DLAE （DFA line-level abstract embedding）， combiningabstractdataflowwithLLVMIRline-levelvulnerabilityfeatureembeddngtoaccuratelyrepresenpotentialvulnerabilitypatersinhecode.Finally，ittrainedBi-GGNNtodynamicallsimulatereachingdefinitionanalysisandlivevariable analysis withintheICFG，enableddynamic propagationandupdatingof abstractdataflows.ExperimentalresultsontheBigVul and Reveal public datasets show that BiG-BiD achieves a recall rate of 73.7% ，outperforming existing static analysis tools and deep learning-based vulnerability detection models by 5%～38% . Additionally，this method successfully detects 23 CVE vulnerabilitiesacrossfouropen-source projects，，thathaveneverseenbefore，，1Oof the vulnerabilitiesremainunpatched，demonstrating the effctivenessand generalization of the proposed method on vulnerability detection tasks.

KeyWords：deep learning；vulnerability detection；data flow analysis；GNN；cyber security

0 引言

近年来，高级持续性威胁（APT）攻击频发"，网络空间安全已然成为国家安全不可或缺的核心部分，更是推动新时代经济高质量发展的战略基石。（剩余19121字）