C source code vulnerability detection method based on Bert model and BiLSTM

Abstract

A C source code vulnerability detection method based on a Bert model and BiLSTM comprises the steps that software source codes are analyzed, a control dependency graph and a data dependency graph are constructed, the codes are sliced according to the control dependency relation and the data dependency relation between the codes, slice-level code blocks are generated, then the generated code blocks are subjected to data cleaning and preprocessing, and each generated code block is labeled to distinguish whether the code block contains vulnerability information or not. Secondly, the processed code blocks serve as a training set to be input into the Bert pre-training model to conduct fine adjustment on the standard Bert model, and a new Bert model is obtained; and the code blocks are input into a new Bert model to learn semantic information and context relationships between codes in an unsupervised manner, and word embedding coding is performed on the code blocks to obtain word vectors with maximized code semantic information and context relationships. And finally, the obtained word vector is input into BiLSTM to train a detection model, and a source code vulnerability detection model is obtained. The vulnerability detection accuracy can be improved, and the false alarm rate can be reduced.

Description

technical field [0001] The invention relates to a software source code loophole detection method, in particular to a C source code loophole detection method based on Bert model and BiLSTM. Background technique [0002] Most of the network attack security incidents that occur in current life are mostly based on various software vulnerabilities in the device software. Software vulnerabilities refer to software defects caused by software developers during the development stage due to factors such as technical problems and lack of experience. Defects exist throughout the entire phase of software deployment and operation. Therefore, attackers can use exploit tools to attack the target system based on such software vulnerabilities at any time or place, extract administrator privileges, obtain system data and command and control privileges to disrupt the normal operation of the system or obtain economic benefits. Purpose. [0003] The existing relatively mature vulnerability mini...

AI Technical Summary

Problems solved by technology

Therefore, in the process of generating word vectors, semantic information will inevitably be missing, which will affect the detection accuracy of the model.

Patent CN201911363149 uses semi-supervised learning technology, uses labeled data and unlabeled data as training data, and directly inputs code elements into the ELMo model to predict whether the source code contains vulnerability information. Although it saves code processing time, due to ELMo The model needs to set the parameters of each layer in the downstream of the training, because it can only encode a single word, and there is no negative sampling process, so it cannot guarantee a high detection accuracy

Patent CN202

Images