针对现有基于深度学习的漏洞检测方法主要集中在源代码的单一表现形式上,无法完全捕获源代码中包含的丰富语义信息和结构信息,以及大多数方法基于函数粒度,检测样本存在大量与漏洞无关的冗余代码导致检测精度下降的问题,聚焦于智能合约最严重的漏洞之一,即重入漏洞,提出一种基于混合语义的切片级智能合约重入漏洞检测方法SCHyVulDect。根据漏洞特征关键字对智能合约进行切片操作,获得合约切片;构建合约切片的代码图,通过图注意力网络(graph attention network,GAT)提取其深层语义信息。并使用双向长短期记忆网络(bidirec-tional long-short term memory,Bi-LSTM)和注意力机制,提取切片代码的上下文序列特征,将提取的图结构特征和序列特征进行融合,从而进行漏洞检测。实验结果表明,SCHyVulDect检测重入漏洞的精确率、召回率和Fl值分别为96。36%、94。45%、91。70%,比现有的基于深度学习的智能合约漏洞检测方法的精确率提高13。03~18。00个百分点,具有较好的检测效果。
Slice Level Smart Contract Reentrancy Vulnerability Detection Based on Hybrid Semantics
In response to the current deep learning based vulnerability detection methods mainly focusing on a single rep-resentation of the source code,which cannot fully capture the rich semantic and structural information contained in the source code,as well as the fact that most methods are based on function granularity and have a large number of redundant code unrelated to vulnerabilities in the detection samples,resulting in a decrease in detection accuracy,this paper focuses on one of the most serious vulnerabilities of smart contracts,namely reentrancy vulnerabilities,and proposes a slice level smart contract reentrancy vulnerability detection method SCHyVulDetect based on hybrid semantics.This method first performs slicing operations on smart contracts based on vulnerability feature keywords to obtain contract slicing.Then,a code graph of contract slicing is constructed,and its deep semantic information is extracted through the graph attention network(GAT).It also uses the bidirectional long short-term memory(BiLSTM)and attention mechanism to extract the context sequence features of the slicing code,and finally fuses the extracted graph structure features and sequence features for vulnerability detection.The experimental results show that the accuracy,recall,and Fl values of SCHyVulDetect for detecting reentrancy vulnerabilities are 96.36%,94.45%,and 91.70%,respectively,which is 13.03 to 18.00 percentage points higher than the accuracy of existing deep learning based smart contract vulnerability detection methods and has a good detection effect.
万方数据
维普
