MANDO: Multi-level heterogeneous graph embeddings for fine-grained detection of smart contract vulnerabilities

Learning heterogeneous graphs consisting of different types of nodes and edges enhances the results of homogeneous graph techniques. An interesting example of such graphs is control-flow graphs representing possible software code execution flows. As such graphs represent more semantic information of...

Full description

Saved in:
Bibliographic Details
Main Authors: NGUYEN, Huu Hoang, NGUYEN, Nhat Minh, XIE, Chunyao, AHMADI, Zahra, KUDENKO, Daniel, DOAN, Thanh Nam, JIANG, Lingxiao
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2022
Subjects:
Online Access:https://ink.library.smu.edu.sg/sis_research/7627
https://ink.library.smu.edu.sg/context/sis_research/article/8630/viewcontent/dsaa22mando.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-8630
record_format dspace
spelling sg-smu-ink.sis_research-86302023-01-10T04:01:08Z MANDO: Multi-level heterogeneous graph embeddings for fine-grained detection of smart contract vulnerabilities NGUYEN, Huu Hoang NGUYEN, Nhat Minh XIE, Chunyao AHMADI, Zahra KUDENKO, Daniel DOAN, Thanh Nam JIANG, Lingxiao Learning heterogeneous graphs consisting of different types of nodes and edges enhances the results of homogeneous graph techniques. An interesting example of such graphs is control-flow graphs representing possible software code execution flows. As such graphs represent more semantic information of code, developing techniques and tools for such graphs can be highly beneficial for detecting vulnerabilities in software for its reliability. However, existing heterogeneous graph techniques are still insufficient in handling complex graphs where the number of different types of nodes and edges is large and variable. This paper concentrates on the Ethereum smart contracts as a sample of software codes represented by heterogeneous contract graphs built upon both control-flow graphs and call graphs containing different types of nodes and links. We propose MANDO, a new heterogeneous graph representation to learn such heterogeneous contract graphs' structures. MANDO extracts customized metapaths, which compose relational connections between different types of nodes and their neighbors. Moreover, it develops a multi-metapath heterogeneous graph attention network to learn multi-level embeddings of different types of nodes and their metapaths in the heterogeneous contract graphs, which can capture the code semantics of smart contracts more accurately and facilitate both fine-grained line-level and coarse-grained contract-level vulnerability detection. Our extensive evaluation of large smart contract datasets shows that MANDO improves the vulnerability detection results of other techniques at the coarse-grained contract level. More importantly, it is the first learning-based approach capable of identifying vulnerabilities at the fine-grained line-level, and significantly improves the traditional code analysis-based vulnerability detection approaches by 11.35% to 70.81% in terms of F1-score. 2022-10-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/7627 info:doi/10.48550/arXiv.2208.13252 https://ink.library.smu.edu.sg/context/sis_research/article/8630/viewcontent/dsaa22mando.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University heterogeneous graphs graph embedding graph neural networks vulnerability detection smart contracts Ethereum blockchain Information Security Software Engineering
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic heterogeneous graphs
graph embedding
graph neural networks
vulnerability detection
smart contracts
Ethereum blockchain
Information Security
Software Engineering
spellingShingle heterogeneous graphs
graph embedding
graph neural networks
vulnerability detection
smart contracts
Ethereum blockchain
Information Security
Software Engineering
NGUYEN, Huu Hoang
NGUYEN, Nhat Minh
XIE, Chunyao
AHMADI, Zahra
KUDENKO, Daniel
DOAN, Thanh Nam
JIANG, Lingxiao
MANDO: Multi-level heterogeneous graph embeddings for fine-grained detection of smart contract vulnerabilities
description Learning heterogeneous graphs consisting of different types of nodes and edges enhances the results of homogeneous graph techniques. An interesting example of such graphs is control-flow graphs representing possible software code execution flows. As such graphs represent more semantic information of code, developing techniques and tools for such graphs can be highly beneficial for detecting vulnerabilities in software for its reliability. However, existing heterogeneous graph techniques are still insufficient in handling complex graphs where the number of different types of nodes and edges is large and variable. This paper concentrates on the Ethereum smart contracts as a sample of software codes represented by heterogeneous contract graphs built upon both control-flow graphs and call graphs containing different types of nodes and links. We propose MANDO, a new heterogeneous graph representation to learn such heterogeneous contract graphs' structures. MANDO extracts customized metapaths, which compose relational connections between different types of nodes and their neighbors. Moreover, it develops a multi-metapath heterogeneous graph attention network to learn multi-level embeddings of different types of nodes and their metapaths in the heterogeneous contract graphs, which can capture the code semantics of smart contracts more accurately and facilitate both fine-grained line-level and coarse-grained contract-level vulnerability detection. Our extensive evaluation of large smart contract datasets shows that MANDO improves the vulnerability detection results of other techniques at the coarse-grained contract level. More importantly, it is the first learning-based approach capable of identifying vulnerabilities at the fine-grained line-level, and significantly improves the traditional code analysis-based vulnerability detection approaches by 11.35% to 70.81% in terms of F1-score.
format text
author NGUYEN, Huu Hoang
NGUYEN, Nhat Minh
XIE, Chunyao
AHMADI, Zahra
KUDENKO, Daniel
DOAN, Thanh Nam
JIANG, Lingxiao
author_facet NGUYEN, Huu Hoang
NGUYEN, Nhat Minh
XIE, Chunyao
AHMADI, Zahra
KUDENKO, Daniel
DOAN, Thanh Nam
JIANG, Lingxiao
author_sort NGUYEN, Huu Hoang
title MANDO: Multi-level heterogeneous graph embeddings for fine-grained detection of smart contract vulnerabilities
title_short MANDO: Multi-level heterogeneous graph embeddings for fine-grained detection of smart contract vulnerabilities
title_full MANDO: Multi-level heterogeneous graph embeddings for fine-grained detection of smart contract vulnerabilities
title_fullStr MANDO: Multi-level heterogeneous graph embeddings for fine-grained detection of smart contract vulnerabilities
title_full_unstemmed MANDO: Multi-level heterogeneous graph embeddings for fine-grained detection of smart contract vulnerabilities
title_sort mando: multi-level heterogeneous graph embeddings for fine-grained detection of smart contract vulnerabilities
publisher Institutional Knowledge at Singapore Management University
publishDate 2022
url https://ink.library.smu.edu.sg/sis_research/7627
https://ink.library.smu.edu.sg/context/sis_research/article/8630/viewcontent/dsaa22mando.pdf
_version_ 1770576406377398272