VulDetector: Detecting Vulnerabilities Using Weighted Feature Graph Comparison | IEEE Journals & Magazine | IEEE Xplore
Subscribe
ADVANCED SEARCH
Journals & Magazines >IEEE Transactions on Informat... >Volume: 16

VulDetector: Detecting Vulnerabilities Using Weighted Feature Graph Comparison

PDF
Lei Cui; Zhiyu Hao; Yang Jiao; Haiqiang Fei; Xiaochun Yun
All Authors

Abstract:

Code similarity is one promising approach to detect vulnerabilities hidden in software programs. However, due to the complexity and diversity of source code, current meth...Show More

Metadata

Abstract:

Code similarity is one promising approach to detect vulnerabilities hidden in software programs. However, due to the complexity and diversity of source code, current methods suffer low accuracy, high false negative and poor performance, especially in analyzing a large program. In this paper, we propose to tackle these problems by presenting VulDetector, a static-analysis tool to detect C/C++ vulnerabilities based on graph comparison at the granularity of function. At the key of VulDetector is a weighted feature graph (WFG) model which characterizes function with a small yet semantically rich graph. It first pinpoints vulnerability-sensitive keywords to slice the control flow graph of a function, thereby reducing the graph size without compromising security-related semantics. Then, each sliced subgraph is characterized using WFG, which provides both syntactic and semantic features in varying degrees of security. As for graph comparison, we take full usage of vulnerability graph and patch graph to improve accuracy. In addition, we propose two optimization methods based on analysis of vulnerabilities. We have implemented VulDetector to automatically detect vulnerabilities in software programs with known vulnerabilities. The experimental results prove the effectiveness and efficiency of VulDetector.
Published in: IEEE Transactions on Information Forensics and Security ( Volume: 16)
Page(s): 2004 - 2017
Date of Publication: 28 December 2020

ISSN Information:

DOI: 10.1109/TIFS.2020.3047756

Funding Agency:

Author image of Lei Cui
Chinese Academy of Science, Institute of Information Engineering, Beijing, China
Lei Cui (Member, IEEE) received the Ph.D. degree in computer software and theory from Beihang University in 2015. He is currently an Associate Professor with the Institute of Information Engineering, Chinese Academy of Sciences. He has published over 30 papers in journals and conferences, including IEEE Transactions on Parallel and Distributed Systems (TPDS), IEEE Transactions on Services Computing (TSC), RAID, VEE, LISA,...Show More
Lei Cui (Member, IEEE) received the Ph.D. degree in computer software and theory from Beihang University in 2015. He is currently an Associate Professor with the Institute of Information Engineering, Chinese Academy of Sciences. He has published over 30 papers in journals and conferences, including IEEE Transactions on Parallel and Distributed Systems (TPDS), IEEE Transactions on Services Computing (TSC), RAID, VEE, LISA,...View more
Author image of Zhiyu Hao
Chinese Academy of Science, Institute of Information Engineering, Beijing, China
Zhiyu Hao received the Ph.D. degree in computer system architecture from the Harbin Institute of Technology in 2007. He is currently a Professor with the Institute of Information Engineering, Chinese Academy of Sciences. He has published over 40 papers in journals and conferences, including IEEE Transactions on Parallel and Distributed Systems (TPDS), ICPP, IEEE S&P, ICA3PP, and CLUSTER. His research interests include net...Show More
Zhiyu Hao received the Ph.D. degree in computer system architecture from the Harbin Institute of Technology in 2007. He is currently a Professor with the Institute of Information Engineering, Chinese Academy of Sciences. He has published over 40 papers in journals and conferences, including IEEE Transactions on Parallel and Distributed Systems (TPDS), ICPP, IEEE S&P, ICA3PP, and CLUSTER. His research interests include net...View more
Author image of Yang Jiao
Chinese Academy of Science, Institute of Information Engineering, Beijing, China
School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
Yang Jiao received the master’s degree from the Institute of Information Engineering, Chinese Academy of Sciences. Her research interests include network security and software security.
Yang Jiao received the master’s degree from the Institute of Information Engineering, Chinese Academy of Sciences. Her research interests include network security and software security.View more
Author image of Haiqiang Fei
Chinese Academy of Science, Institute of Information Engineering, Beijing, China
School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
Haiqiang Fei received the master’s degree from the Institute of Computing Technology, Chinese Academy of Sciences, where he is currently pursuing the Ph.D. degree with the Institute of Information Engineering. His research interests include network emulation and network security.
Haiqiang Fei received the master’s degree from the Institute of Computing Technology, Chinese Academy of Sciences, where he is currently pursuing the Ph.D. degree with the Institute of Information Engineering. His research interests include network emulation and network security.View more
Author image of Xiaochun Yun
Chinese Academy of Science, Institute of Information Engineering, Beijing, China
Xiaochun Yun received the Ph.D. degree from the Harbin Institute of Technology in 1998. He is currently a Full Professor with the Institute of Information Engineering, Chinese Academy of Sciences, China. He also works with the National Computer Network Emergency Response Technical Team/Coordination Center of China. He has authored more than 200 papers in refereed journals and conference proceedings. His research interests...Show More
Xiaochun Yun received the Ph.D. degree from the Harbin Institute of Technology in 1998. He is currently a Full Professor with the Institute of Information Engineering, Chinese Academy of Sciences, China. He also works with the National Computer Network Emergency Response Technical Team/Coordination Center of China. He has authored more than 200 papers in refereed journals and conference proceedings. His research interests...View more
Contents

Author image of Lei Cui
Chinese Academy of Science, Institute of Information Engineering, Beijing, China
Lei Cui (Member, IEEE) received the Ph.D. degree in computer software and theory from Beihang University in 2015. He is currently an Associate Professor with the Institute of Information Engineering, Chinese Academy of Sciences. He has published over 30 papers in journals and conferences, including IEEE Transactions on Parallel and Distributed Systems (TPDS), IEEE Transactions on Services Computing (TSC), RAID, VEE, LISA, DSN, and The Computer Journal. His research interests include operating systems, system security, and system virtualization.
Lei Cui (Member, IEEE) received the Ph.D. degree in computer software and theory from Beihang University in 2015. He is currently an Associate Professor with the Institute of Information Engineering, Chinese Academy of Sciences. He has published over 30 papers in journals and conferences, including IEEE Transactions on Parallel and Distributed Systems (TPDS), IEEE Transactions on Services Computing (TSC), RAID, VEE, LISA, DSN, and The Computer Journal. His research interests include operating systems, system security, and system virtualization.View more
Author image of Zhiyu Hao
Chinese Academy of Science, Institute of Information Engineering, Beijing, China
Zhiyu Hao received the Ph.D. degree in computer system architecture from the Harbin Institute of Technology in 2007. He is currently a Professor with the Institute of Information Engineering, Chinese Academy of Sciences. He has published over 40 papers in journals and conferences, including IEEE Transactions on Parallel and Distributed Systems (TPDS), ICPP, IEEE S&P, ICA3PP, and CLUSTER. His research interests include network security, system virtualization, and network emulation.
Zhiyu Hao received the Ph.D. degree in computer system architecture from the Harbin Institute of Technology in 2007. He is currently a Professor with the Institute of Information Engineering, Chinese Academy of Sciences. He has published over 40 papers in journals and conferences, including IEEE Transactions on Parallel and Distributed Systems (TPDS), ICPP, IEEE S&P, ICA3PP, and CLUSTER. His research interests include network security, system virtualization, and network emulation.View more
Author image of Yang Jiao
Chinese Academy of Science, Institute of Information Engineering, Beijing, China
School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
Yang Jiao received the master’s degree from the Institute of Information Engineering, Chinese Academy of Sciences. Her research interests include network security and software security.
Yang Jiao received the master’s degree from the Institute of Information Engineering, Chinese Academy of Sciences. Her research interests include network security and software security.View more
Author image of Haiqiang Fei
Chinese Academy of Science, Institute of Information Engineering, Beijing, China
School of Cyber Security, University of Chinese Academy of Sciences, Beijing, China
Haiqiang Fei received the master’s degree from the Institute of Computing Technology, Chinese Academy of Sciences, where he is currently pursuing the Ph.D. degree with the Institute of Information Engineering. His research interests include network emulation and network security.
Haiqiang Fei received the master’s degree from the Institute of Computing Technology, Chinese Academy of Sciences, where he is currently pursuing the Ph.D. degree with the Institute of Information Engineering. His research interests include network emulation and network security.View more
Author image of Xiaochun Yun
Chinese Academy of Science, Institute of Information Engineering, Beijing, China
Xiaochun Yun received the Ph.D. degree from the Harbin Institute of Technology in 1998. He is currently a Full Professor with the Institute of Information Engineering, Chinese Academy of Sciences, China. He also works with the National Computer Network Emergency Response Technical Team/Coordination Center of China. He has authored more than 200 papers in refereed journals and conference proceedings. His research interests include network and information security.
Xiaochun Yun received the Ph.D. degree from the Harbin Institute of Technology in 1998. He is currently a Full Professor with the Institute of Information Engineering, Chinese Academy of Sciences, China. He also works with the National Computer Network Emergency Response Technical Team/Coordination Center of China. He has authored more than 200 papers in refereed journals and conference proceedings. His research interests include network and information security.View more

Contact IEEE to Subscribe

References

References is not available for this document.

IEEE Account

Purchase Details

Profile Information

Need Help?

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity.
© Copyright 2025 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.