计算机科学

计算机科学 ›› 2024, Vol. 51 ›› Issue (12): 326-333.doi: 10.11896/jsjkx.231000174

• 信息安全 • 上一篇    下一篇

基于分层注意力网络和积分梯度的细粒度漏洞检测方法

李秋月1,3, 韩道军1,2, 张磊1, 许涛1   

  1. 1 河南大学计算机与信息工程学院 河南 开封 475004
    2 河南省智能技术与应用工程技术研究中心 河南 开封 475004
    3 河南财政金融学院计算机与人工智能学院 郑州 450002
  • 收稿日期:2023-10-25 修回日期:2024-04-04 出版日期:2024-12-15 发布日期:2024-12-10
  • 通讯作者: 韩道军(hdj@henu.edu.cn)
  • 作者简介:(hdj@henu.edu.cn)
  • 基金资助:
    河南省高校青年骨干教师基金(2020GGJS027);国家自然科学基金(42371433);河南省科技攻关项目(232102240020,232102211056)

Fine-grained Vulnerability Detection Based on Hierarchical Attention Networks and Integral Gradients

LI Qiuyue1,3, HAN Daojun1,2, ZHANG Lei1, XU Tao1   

  1. 1 School of Computer and Information Engineering, Henan University, Kaifeng, Henan 475004, China
    2 Henan Engineering Research Center of Intelligent Technology and Application, Henan University, Kaifeng, Henan 475004, China
    3 School of Computer and Artificial Intelligence, Henan Finance University, Zhengzhou 450002, China
  • Received:2023-10-25 Revised:2024-04-04 Online:2024-12-15 Published:2024-12-10
  • About author:LI Qiuyue,born in 1998,postgraduate.Her main research interests include information security and blockchain.
    HAN Daojun,born in 1979,Ph.D, professor,is a member of CCF(No.28531).His main research interests include information security and blockchain.
  • Supported by:
    University Young Core Instructor Foundation of Henan Province(2020GGJS027),National Natural Science Foundation of China(42371433) and Key Science and Technology Program of Henan Province(232102240020,232102211056).

PDF (PC)

128

摘要: 智能合约是一种基于区块链平台运行的去中心化应用程序,在数字货币、物联网、供应链等多个领域应用广泛。智能合约漏洞检测的研究对于保障数字资产安全、维护合约的可靠性与稳定性具有重要意义。目前的主流研究之一为利用深度学习模型自动学习代码特征,检测出智能合约漏洞,准确性较高,但是在漏洞解释方面具有局限性,不能提供细粒度的漏洞信息。针对目前基于深度学习的智能合约漏洞检测模型不能有效提供细粒度漏洞解释,且缺少细粒度标签的问题,提出一种基于分层注意力网络和积分梯度的细粒度漏洞检测方法。利用分层注意力网络进行粗粒度漏洞检测,通过两层注意力构建单词注意力编码层和函数注意力编码层分别学习源代码的函数级和合约级表示,以关注代码的不同令牌和语句;然后使用积分梯度方法进行细粒度解释,计算代码语句对漏洞预测的贡献度,以获取与漏洞相关的脆弱语句,实现无语句标签情况下的单词级别和语句级别的漏洞解释。在真实以太坊数据集SmartbugsWilds,SmartbugsCurated和SolidiFIBenchmark上的实验结果表明,该方法在5种漏洞类型上的平均准确率达到80%以上,漏洞解释准确率提升6%,可以更加准确地定位漏洞代码,帮助开发人员审查合约。

关键词: 智能合约, 漏洞检测, 注意力机制, 积分梯度

Abstract: Smart contracts are decentralized applications that run on blockchain platforms and are widely used in many fields,including digital currencies,the Internet of Things,and supply chains.Research on vulnerability detection in smart contracts is of great importance for securing digital assets and maintaining the reliability and stability of contracts.One of the current mainstream researches is to use deep learning models to automatically learn code features,so as to detect vulnerabilities in smart contracts.It has high accuracy,but has limitations in vulnerability interpretation and cannot provide fine-grained vulnerability information.To address the problem that the current deep learning-based smart contract vulnerability detection model cannot effectively provide fine-grained vulnerability explanation and lacks of fine-grained labels,a fine-grained vulnerability detection method based on hierarchical attention network and integral gradient is proposed.Using hierarchical attention network for coarse-grained vulnerability detection,the word attention encoding layer and function attention encoding layer are constructed by two attention layers to learn the function-level and contract-level representations of the source code,respectively,to pay attention to the various tokens and statements of the code;and then the integrated gradient method is used to provide fine-grained explanations and calculate the contribution of code statements to vulnerability prediction,to obtain the vulnerability statements related to vulnerabilities,so as to realise the statement-less tags in the case of word-level and statement-level vulnerability interpretation.Experimental results on real Ethereum datasets SmartbugsWilds,SmartbugsCurated and SolidiFIBenchmark show that the proposed method achieves an average accuracy of more than 80% on five vulnerability types,with a 6% improvement in the accuracy of vulnerability interpretation,which can locate the vulnerable code more accurately and help developers to review contracts.

Key words: Smart contract, Vulnerability detection, Attention mechanism, Integrative gradients

中图分类号: 

  • TP391
[1]NAKAMOTO S.Bitcoin A Peer-to-Peer Electronic Cash System[J/OL].https://bitcoin.org/bitcoin.pdf.
[2]BUTERIN V.A next Generation Smart Contract & Decentra-lized Application Platform[J/OL].https://ethereum.org/669c9e2e2027310b6b3cdce6e1c52962/Ethereum_Whitepaper_-_Buterin_2014.pdf.
[3]SZABO N.Smart Contracts:Building Blocks for Digital Markets[J/OL].https://www.fon.hum.uva.nl/rob/Courses/Information-InSpeech/CDROM/Literature/LOTwinterschool2006/szabo.best.vwh.net/smart_contracts_2.html.
[4]ZOU W,LO D,KOCHHAR P S,et al.Smart Contract Development:Challenges and Opportunities[J].IEEE Transactions on Software Engineering,2021,47:2084.
[5]SCHAR F.Decentralized Finance:On Blockchain and SmartContract-Based Financial Markets[J].Federal Reserve Bank of St,2020,103(2):153-174.
[6]ZHANG Y,KASAHARA S,SHEN Y,et al.Smart Contract-Based Access Control for the Internet of Things[J].IEEE Internet of Things Journal,2018,6:1594-1605.
[7]DUAN B,XIN K,ZHONG Y.Optimal Dispatching of ElectricVehicles Based on Smart Contract and Internet of Things[J].IEEE Access,2020,8:9630-9639.
[8]ATZEI N,BARTOLETTI M,CIMOLI T.A Survey of Attacks on Ethereum Smart Contracts(SoK)[C]//6th International Conference on Principles of Security and Trust(POST) Held as Part of the European Joint Conferences on Theory and Practice of Software(ETAPS).2017:164-186.
[9]FAIRYPROOF.Fairyproof’s Review of 2021 Blockchain Secu-rity[EB/OL].https://fairyproof.com/doc/Fairyproof’sReviewOf2021BlockchainSecurity_012722.pdf.
[10]CHAKRABORTY S,KRISHNA R,DING Y,et al.Deep Lear-ning based Vulnerability Detection:Are We There Yet[J].IEEE Transactions on Software Engineering,2021,48(1):3280-3296.
[11]LI Z,ZOU D,XU S,et al.VulDeeLocator:A Deep Learning-Based Fine-Grained Vulnerability Detector[J].IEEE Transactions on Dependable and Secure Computing,2022,19(4):2821-2837.
[12]LI Y,WANG S,NGUYEN T N.Vulnerability detection withfine-grained interpretations[C]//Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering.2021:292-303.
[13]NGUYEN V A,LE T,TANTITHAM C K,et al.An Information-Theoretic and Contrastive Learning-based Approach for Identifying Code Statements Causing Software Vulnerability[J].arXiv:2209.10414,2022.
[14]NGUYEN H H,NGUYEN N M,XIE C,et al.MANDO:Multi-Level Heterogeneous Graph Embeddings for Fine-Grained Detection of Smart Contract Vulnerabilities[C]//2022 IEEE 9th International Conference on Data Science and Advanced Analy-tics(DSAA).2022.
[15]SHEN C K.Research on Deep Learning-based Vulnerability Detection Methods for Smart Contracts[D].Wuhan:Wuhan University,2021.
[16]YANG Z,YANG D,DYER C,et al.Hierarchical Attention Networks for Document Classification[C]//Proceedings of the 2016 Conference of the North American Chapter of the Association for Computational Linguistics:Human Language Technologies.2016:1480-1489.
[17]FERREIRA J F,CRUZ P,DURIEUX T,et al.SmartBugs:A Framework to Analyze Solidity Smart Contracts[C]//35th IEEE/ACM International Conference on Automated Software Engineering(ASE).2020:1349-1352.
[18]GHALEB A,PATTAB K.How effective are smart contractanalysis tools? evaluating smart contract static analysis tools using bug injection[C]//Proceedings of the 29th ACM SIGSOFT International Symposium on Software Testing and Analysis.2020:415-427.
[19]LUU L,CHU D H,OLICKEL H,et al.Making Smart Contracts Smarter[C]//23rd ACM Conference on Computer and Communications Security(CCS).2016:254-269.
[20]MUELLER B.Mythril-Reversing and bug hunting frameworkfor the Ethereum blockchain[Z].https://pypi.org/project/mythril/.
[21]TSANKOV P,DAN A,DRACHSLER C D,et al.Securify:Practical Security Analysis of Smart Contracts[C]//Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security.2018:67-82.
[22]GU J,WANG Z,KUEN J,et al.Recent advances in convolu-tional neural networks[J].arXiv:1512.07108,2015.
[23]HOCHREITER S,SCHMIDHUBER J.Long Short-Term Me-mory[J].Neural Computing,1997,9(8):1735-1780.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发