Abstract
With the explosive development of information
technology, vulnerabilities have become one of the
major threats to computer security. Most vulnerabilities with similar patterns can be detected effectively by static analysis methods. However, some
vulnerable and non-vulnerable code is hardly distinguishable, resulting in low detection accuracy.
In this paper, we define the accurate identification
of vulnerabilities in similar code as a fine-grained
vulnerability detection problem. We propose VulSniper which is designed to detect fine-grained vulnerabilities more effectively. In VulSniper, attention mechanism is used to capture the critical features of the vulnerabilities. Especially, we use
bottom-up and top-down structures to learn the attention weights of different areas of the program.
Moreover, in order to fully extract the semantic features of the program, we generate the code property
graph, design a 144-dimensional vector to describe
the relation between the nodes, and finally encode
the program as a feature tensor. VulSniper achieves
F1-scores of 80.6% and 73.3% on the two benchmark datasets, the SARD Buffer Error dataset and
the SARD Resource Management Error dataset respectively, which are significantly higher than those
of the state-of-the-art methods