一种改进ASTNN网络的PHP代码漏洞挖掘方法

doi:10.19665/j.issn1001-2400.2020.06.023

Abstract

Abstract:

In order to solve the problems of low efficiency and high false positives of the traditional PHP vulnerability mining technology, a deep neural network mining method based on the ASTNN is proposed. At the same time, this method is also used to solve the problem of high false positives of the existing neural network model with the token sequence and software metrics as features. First, according to the characteristics of the PHP abstract syntax tree, the rules for dividing statement trees are defined. Second, according to the special structure of the PHP abstract syntax tree, improvements are made to the encoding layer of the traditional ASTNN deep neural network to better preserve the semantic information contained in the abstract syntax tree. Experimental results show that the PHP vulnerability mining method based on the improved ASTNN model has a higher accuracy and recall rate than the traditional method. The improved ASTNN deep neural network model is suitable for PHP vulnerability mining.

Key words: abstract syntax tree, deep learning, recurrent neural network, vulnerability mining

CLC Number:

TP311.5

HU Jianwei,ZHAO Wei,CUI Yanpeng,CUI Junjie. PHP code vulnerability mining technology based on theimproved ASTNN[J].Journal of Xidian University, 2020, 47(6): 164-173.

Figures/Tables 9

References 18

[1]	ZAPPONI C. GitHut - Programming Languages and GitHub[EB/OL]. [2019-12-17]. https://githut.info/.
[2]	Q-SUCCESS W3Techs - World Wide Web Technology Surveys [EB/OL]. [2019-12-17]. https://w3techs.com/
[3]	BACKES M, RIECK K, SKORUPPA M, et al. Efficient and Flexible Discovery of Php Application Vulnerabilities[C]// Proceedings of the 2017 2nd IEEE European Symposium on Security and Privacy. Piscataway: IEEE, 2017: 334-349.
[4]	EXPLOIT DATABASE Exploit Database Statistics[EB/OL] . [2019-12-17]. https://www.exploit-db.com/exploit-database-statistics.
[5]	YAN X X, WANG Q X, MA H T. Path Sensitive Static Analysis of Taint-style Vulnerabilities in PHP Code[C]// Proceedings of the 2017 17th IEEE International Conference on Communication Technology. Piscataway: IEEE, 2017: 1382-1386.
[6]	BUJA G, JALIL K B A, ALI F B H M, et al. Detection Model for SQL Injection Attack: An Approach for Preventing A Web Application from the SQL Injection Attack[C]// Proceedings of the 2014 IEEE Symposium on Computer Applications and Industrial Electronics. Piscataway: IEEE, 2015: 60-64.
[7]	LAL H, PAHWA G. Code Review Analysis of Software System Using Machine Learning Techniques[C]// Proceedings of the 2017 11th International Conference on Intelligent Systems and Control. Piscataway: IEEE, 2017: 8-13.
[8]	ANBIYA D R, PURWARIANTI A, ASNAR Y. Vulnerability Detection in PHP Web Application Using Lexical Analysis Approach with Machine Learning[C]// Proceedings of the 2018 5th International Conference on Data and Software Engineering. Piscataway: IEEE, 2018: 8705809.
[9]	YAMAGUCHI F, GOLDE N, ARP D, et al. Modeling and Discovering Vulnerabilities with Code Property Graphs[C]// Proceedings of the 2014 IEEE Symposium on Security and Privacy. Piscataway: IEEE, 2014: 590-604.
[10]	ALON U, ZILBERSTEIN M, LEVY O, et al. A General Path-based Representation for Predicting Program Properties[J]. ACM SIGPLAN Notices, 2018, 53(4): 404-419. doi: 10.1145/3296979.3192412
[11]	ALON U, ZILBERSTEIN M, LEVY O, et al. Code2vec: Learning Distributed Representations of Code[J]. Proceedings of the ACM on Programming Languages, 2019, 3(POPL): 1-29.
[12]	LI Y, WANG S, NGUYEN T N, et al. Improving Bug Detection Via Context-based Code Representation Learning and Attention-based Neural Networks[C]// Proceedings of the 2019 ACM on Programming Languages. New York: ACM, 2019: A162.
[13]	WEI H H, LI M. Supervised Deep Features for Software Functional Clone Detection by Exploiting Lexical and Syntactical Information in Source Code[C]// Proceedings of the 2017 26th International Joint Conference on Artificial Intelligence. Melbourne: International Joint Conferences on Artificial Intelligence, 2017: 3034-3040.
[14]	SHIDO Y, KOBAYASHI Y, YAMAMOTO A, et al. Automatic Source Code Summarization with Extended Tree-LSTM[C]// Proceedings of the 2019 International Joint Conference on Neural Networks. Piscataway: IEEE, 2019: 8851751.
[15]	MOU L, LI G, ZHANG L, et al. Convolutional Neural Networks over Tree Structures for Programming Language Processing[C]// Proceedings of the 2016 30th AAAI Conference on Artificial Intelligence. Palo Alto: AAAI Press, 2016: 1287-1293.
[16]	ZHANG J, WANG X, ZHANG H, et al. A Novel Neural Source Code Representation Based on Abstract Syntax Tree[C]// Proceedings of the 2019 International Conference on Software Engineering. Washington: IEEE Computer Society, 2019: 783-794.
[17]	WHITE M, TUFANO M, VENDOME C, et al. Deep Learning Code Fragments for Code Clone Detection[C]// Proceedings of the 2016 31st IEEE/ACM International Conference on Automated Software Engineering. New York: ACM, 2016: 87-98.
[18]	STIVALET B, FONG E. Large Scale Generation of Complex and Faulty PHP Test Cases[C]// Proceedings of the 2016 IEEE International Conference on Software Testing, Verification and Validation. Piscataway: IEEE, 2016: 409-415.

组号	漏洞	正样本	负样本	总量
1	SQL注入	912	1 824	2 736
2	命令执行	624	1 248	1 872
3	跨站脚本	4 352	5 728	10 080
4	XPath注入	1 264	2 528	3 792
5	混合漏洞	2 048	4 096	6 144

漏洞	算法	准确率/%	召回率/%	F1值
SQL注入	SVM	77.74	48.11	75.81
	LSTM	60.25	60.89	80.23
	A_ASTNN	99.64	100.0	99.53
命令执行	SVM	88.83	84.64	83.46
	LSTM	89.23	82.16	86.15
	A_ASTNN	100.0	100.0	100.0
跨站脚本	SVM	60.02	52.98	53.41
	LSTM	70.36	67.35	69.23
	A_ASTNN	94.84	88.07	93.66
Xpath注入	SVM	96.58	95.07	95.41
	LSTM	98.23	96.74	96.20
	A_ASTNN	99.20	97.89	98.93

PHP code vulnerability mining technology based on theimproved ASTNN

RichHTML

PDF (PC)

Like

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 9

References 18

Related Articles 15

Metrics

Comments

Recommended 10

[1]	LIU Jiawei,ZHANG Wenhui,KOU Xiaoli,LI Yanni. Harnessing adversarial examples via input denoising and hidden information restoring [J]. Journal of Xidian University, 2021, 48(6): 23-31.
[2]	LI Peng,FENG Cunqian,XU Xuguang,TANG Zixiang. Ballistic target fretting classification network based on Bayesian optimization [J]. Journal of Xidian University, 2021, 48(5): 139-148.
[3]	YAN Jia,CAO Yudong,REN Jiaxing,CHEN Donghao,LI Xiaohui. Deep asymmetric compression Hashing algorithm [J]. Journal of Xidian University, 2021, 48(5): 212-221.
[4]	NING Yang,DU Jianchao,HAN Shuo,YANG Chuankai. Fire segmentation based on the improved DeeplabV3+ and the analytical method for fire development [J]. Journal of Xidian University, 2021, 48(5): 38-46.
[5]	ZHOU Peng,YANG Jun. Semantic segmentation of remote sensing images based on neural architecture search [J]. Journal of Xidian University, 2021, 48(5): 47-57.
[6]	QI Yanjun,KONG Yueping,WANG Jiajing,ZHU Xudong. Gait recognition method combining LSTM and CNN [J]. Journal of Xidian University, 2021, 48(5): 78-85.
[7]	SONG Jianfeng,MIAO Qiguang,WANG Chongxiao,XU Hao,YANG Jin. Multi-scale single object tracking based on the attention mechanism [J]. Journal of Xidian University, 2021, 48(5): 110-116.
[8]	ZHANG Yuhao,CHENG Peitao,ZHANG Shuhao,WANG Xiumei. Lightweight image super-resolution with the adaptive weight learning network [J]. Journal of Xidian University, 2021, 48(5): 15-22.
[9]	HUI Haisheng,ZHANG Xueying,WU Zelin,LI Fenglian. Method for stroke lesion segmentation using the primary-auxiliary path attention compensation network [J]. Journal of Xidian University, 2021, 48(4): 200-208.
[10]	SUN Haojie,LI Miaoyu,ZHANG Panpan,XU Pengfei. Self-supervised facial asymmetry learning for automatic evaluation of facial paralysis [J]. Journal of Xidian University, 2021, 48(3): 115-122.
[11]	XU Bin,ZHANG Yongshun,ZHANG Qin,WANG Fuping,ZHENG Guimei. Radar HRRP target recognition based on the multiplicative RNN model [J]. Journal of Xidian University, 2021, 48(2): 49-54.
[12]	ZHANG Hua,GAO Haoran,YANG Xingguo,LI Wenmin,GAO Fei,WEN Qiaoyan. TargetedFool:an algorithm for achieving targeted attacks [J]. Journal of Xidian University, 2021, 48(1): 149-159.
[13]	YANG Hongyu,ZENG Renyun. Method for assessment of network security situation with deep learning [J]. Journal of Xidian University, 2021, 48(1): 183-190.
[14]	ZHANG Lu,SUN Rong,LIU Jingwei. Cloned piggybacking framework for distributed storage [J]. Journal of Xidian University, 2020, 47(6): 139-147.
[15]	GUO Liujun,ZHANG Xueying,CHEN Guijun. Deep linear discriminant analysis for two-stage brain-controlled character spelling decoding [J]. Journal of Xidian University, 2020, 47(4): 109-116.