Tongxin xuebao (Nov 2021)
Research on context-aware Android application vulnerability detection
Abstract
The vulnerability detection model of Android application based on learning lacks semantic features.The extracted features contain noise data unrelated to vulnerabilities, which leads to the false positive of vulnerability detection model.A feature extraction method based on code information slice (CIS) was proposed.Compared with the abstract syntax tree (AST) feature method, the proposed method could extract the variable information directly related to vulnerabilities more accurately and avoid containing too much noise data.It contained semantic information of vulnerabilities.Based on CIS and BI-LSTM with attention mechanism, a context-aware Android application vulnerability detection model VulDGArcher was proposed.For the problem that the Android vulnerability data set was not easy to obtain, a data set containing 41 812 code fragments including the implicit Intent security vulnerability and the bypass PendingIntent permission audit vulnerability was built.There were 16 218 code fragments of vulnerability.On this data set, VulDGArcher’s detection accuracy can reach 96%, which is higher than the deep learning vulnerability detection model based on AST features and APP source code features.
