Sequential Graph Neural Networks for Source Code Vulnerability Identification

TL;DR

This paper introduces a new curated dataset for C/C++ source code vulnerabilities and a novel sequential graph neural network framework that achieves state-of-the-art results in vulnerability identification.

Contribution

The paper presents a curated dataset CVEFGE from the CVE database and a new sequential graph neural network model SEGNN for improved vulnerability detection.

Findings

SEGNN outperforms baseline methods in vulnerability classification

CVEFGE dataset enhances model training and evaluation

State-of-the-art results achieved on two datasets

Abstract

Vulnerability identification constitutes a task of high importance for cyber security. It is quite helpful for locating and fixing vulnerable functions in large applications. However, this task is rather challenging owing to the absence of reliable and adequately managed datasets and learning models. Existing solutions typically rely on human expertise to annotate datasets or specify features, which is prone to error. In addition, the learning models have a high rate of false positives. To bridge this gap, in this paper, we present a properly curated C/C++ source code vulnerability dataset, denoted as CVEFunctionGraphEmbeddings (CVEFGE), to aid in developing models. CVEFGE is automatically crawled from the CVE database, which contains authentic and publicly disclosed source code vulnerabilities. We also propose a learning framework based on graph neural networks, denoted SEquential Graph Neural Network (SEGNN) for learning a large number of code semantic representations. SEGNN consists of a sequential learning module, graph convolution, pooling, and fully connected layers. Our evaluations on two datasets and four baseline methods in a graph classification setting demonstrate state-of-the-art results.