Dual-granularity lightweight vulnerability code slice quality evaluation method

Abstract

The invention discloses a dual-granularity lightweight vulnerability code slice quality evaluation method, and belongs to the technical field of information security. The method comprises the following steps: classifying and preprocessing vulnerability code slice samples; segmenting code slices by using different granularities of words and characters of a window; establishing an evaluation feature vector; calculating the code slice statistical characteristics, and establishing a slice data set; establishing a lightweight assessment model; inputting the slice data set into the lightweight assessment model, and outputting assessment features and assessment indexes. According to the method, code slices are segmented through multiple sizes of windows at word and character levels, a vulnerability detection vector space is constructed by using statistical features, and implicit vulnerability features in the code slices are extracted, so that the problem of embedding of unregistered words in a vulnerability detection technology based on the code slices is solved, a heterogeneous integrated lightweight assessment model is constructed, and the evaluation features and the multi-dimensional evaluation indexes are output to replace a black box model in the traditional technology, so the research, development and iteration efficiency of a code slicing method by researchers is improved.

Description

Technical field [0001] The present invention relates to the field of information security technology, in particular a two-granular lightweight vulnerability code slice mass assessment method. Background technique [0002] Vulnerability code slice, by breaking down the large-scale project source code, contains only a smaller code slice of the vulnerability related code, eliminating interference of the disconnect detection results in complex software items. The validity of the new method of vulnerability code slice needs to be proven by model assessment. [0003] In the existing vulnerability detection scenario, the code slice method evaluation technology is divided into coding model assessment technology, machine learning model assessment technology, deep learning model assessment technology three categories: coding model assessment technology mainly uses Word2Vec, phrase bags, TF-IDF and other models; Machine learning model assessment technology mainly uses models such as support...

AI Technical Summary

Problems solved by technology

[0005] 1. Incomplete extraction of code slice information: Traditional machine learning models such as support vector machines and random forests have fast convergence speed and small memory footprint

However, code slices in the form of text need to go through a complex word embedding process to serve as input to such models

Deep learning solutions such as ELMo and Bert integrate the word embedding process themselves, but training requires a large amount of labeled data and high-performance computing support, and a certain amount of model fine-tuning time is required when using it

[0006] 2. High technical complexity and poor generalization ability: Solving the word embedding problem is the premise of inventing the vulnerability code slice quality assessment technology

Its technical means sacrifices the interpretability of the original code and loses the semantic information of code slicing. Researchers can only judge whether the new slicing method is effective based on the black-box evaluation model, but cannot obtain why the new method is effective and how to improve the new method. Relevant information, it is difficult to clarify the direction of manual verification and improvement

Images