MANDO: Multi-Level Heterogeneous Graph Embeddings for Fine-Grained Detection of Smart Contract Vulnerabilities

Hoang H. Nguyen; Nhat Minh Nguyen; Chunyao Xie; Zahra Ahmadi; Daniel Kudendo; Thanh Nam Doan; Lingxiao Jiang

doi:10.1109/DSAA54385.2022.10032337

MANDO: Multi-Level Heterogeneous Graph Embeddings for Fine-Grained Detection of Smart Contract Vulnerabilities

Hoang H. Nguyen^*, Nhat Minh Nguyen, Chunyao Xie, Zahra Ahmadi, Daniel Kudendo, Thanh Nam Doan, Lingxiao Jiang

^*Korrespondierende*r Autor*in für diese Arbeit

Forschungszentrum L3S

Singapore Management University

Publikation: Beitrag in Buch/Bericht/Sammelwerk/Konferenzband › Aufsatz in Konferenzband › Forschung › Peer-Review

Abstract

Learning heterogeneous graphs consisting of different types of nodes and edges enhances the results of homogeneous graph techniques. An interesting example of such graphs is control-flow graphs representing possible software code execution flows. As such graphs represent more semantic information of code, developing techniques and tools for such graphs can be highly beneficial for detecting vulnerabilities in software for its reliability. However, existing heterogeneous graph techniques are still insufficient in handling complex graphs where the number of different types of nodes and edges is large and variable. This paper concentrates on the Ethereum smart contracts as a sample of software codes represented by heterogeneous contract graphs built upon both control-flow graphs and call graphs containing different types of nodes and links. We propose MANDO, a new heterogeneous graph representation to learn such heterogeneous contract graphs' structures. MANDO extracts customized meta-paths, which compose relational connections between different types of nodes and their neighbors. Moreover, it develops a multi-metapath heterogeneous graph attention network to learn multi-level embeddings of different types of nodes and their metapaths in the heterogeneous contract graphs, which can capture the code semantics of smart contracts more accurately and facilitate both fine-grained line-level and coarse-grained contract-level vulnerability detection. Our extensive evaluation of large smart contract datasets shows that MANDO improves the vulnerability detection results of other techniques at the coarse-grained contract level. More importantly, it is the first learning-based approach capable of identifying vulnerabilities at the fine-grained line-level, and significantly improves the traditional code analysis-based vulnerability detection approaches by 11.35% to 70.81% in terms of F1-score.

Originalsprache	Englisch
Titel des Sammelwerks	2022 IEEE 9th International Conference on Data Science and Advanced Analytics
Untertitel	(DSAA)
Herausgeber/-innen	Joshua Zhexue Huang, Yi Pan, Barbara Hammer, Muhammad Khurram Khan, Xing Xie, Laizhong Cui, Yulin He
Herausgeber (Verlag)	Institute of Electrical and Electronics Engineers Inc.
ISBN (elektronisch)	9781665473309
ISBN (Print)	978-1-6654-7331-6
DOIs	https://doi.org/10.1109/DSAA54385.2022.10032337
Publikationsstatus	Veröffentlicht - 2022
Veranstaltung	9th IEEE International Conference on Data Science and Advanced Analytics, DSAA 2022 - Shenzhen, China Dauer: 13 Okt. 2022 → 16 Okt. 2022

Konferenz

Konferenz	9th IEEE International Conference on Data Science and Advanced Analytics, DSAA 2022
Land/Gebiet	China
Ort	Shenzhen
Zeitraum	13 Okt. 2022 → 16 Okt. 2022

ASJC Scopus Sachgebiete

Artificial intelligence
Maschinelles Sehen und Mustererkennung
Hardware und Architektur
Information systems
Informationssysteme und -management

Zugriff auf Dokument

10.1109/DSAA54385.2022.10032337

https://arxiv.org/abs/2208.13252Lizenz: CC BY-NC-SA 4.0

Andere Dateien und Links

Verknüpfung zur Publikation in Scopus

Graph representation learning for security analytics in decentralized software systems and social networks
Nguyen, H. H., 16 Mai 2024, 135 S.
Publikation: Qualifikations-/Studienabschlussarbeit › Dissertation

Open Access

Dieses zitieren

Nguyen, H. H., Nguyen, N. M., Xie, C., Ahmadi, Z., Kudendo, D., Doan, T. N., & Jiang, L. (2022). MANDO: Multi-Level Heterogeneous Graph Embeddings for Fine-Grained Detection of Smart Contract Vulnerabilities. in J. Z. Huang, Y. Pan, B. Hammer, M. K. Khan, X. Xie, L. Cui, & Y. He (Hrsg.), 2022 IEEE 9th International Conference on Data Science and Advanced Analytics: (DSAA) Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSAA54385.2022.10032337

Nguyen, Hoang H. ; Nguyen, Nhat Minh ; Xie, Chunyao et al. / MANDO : Multi-Level Heterogeneous Graph Embeddings for Fine-Grained Detection of Smart Contract Vulnerabilities. 2022 IEEE 9th International Conference on Data Science and Advanced Analytics: (DSAA). Hrsg. / Joshua Zhexue Huang ; Yi Pan ; Barbara Hammer ; Muhammad Khurram Khan ; Xing Xie ; Laizhong Cui ; Yulin He. Institute of Electrical and Electronics Engineers Inc., 2022.

@inproceedings{97532956609f44a784b8a930ca0a9144,

title = "MANDO: Multi-Level Heterogeneous Graph Embeddings for Fine-Grained Detection of Smart Contract Vulnerabilities",

abstract = "Learning heterogeneous graphs consisting of different types of nodes and edges enhances the results of homogeneous graph techniques. An interesting example of such graphs is control-flow graphs representing possible software code execution flows. As such graphs represent more semantic information of code, developing techniques and tools for such graphs can be highly beneficial for detecting vulnerabilities in software for its reliability. However, existing heterogeneous graph techniques are still insufficient in handling complex graphs where the number of different types of nodes and edges is large and variable. This paper concentrates on the Ethereum smart contracts as a sample of software codes represented by heterogeneous contract graphs built upon both control-flow graphs and call graphs containing different types of nodes and links. We propose MANDO, a new heterogeneous graph representation to learn such heterogeneous contract graphs' structures. MANDO extracts customized meta-paths, which compose relational connections between different types of nodes and their neighbors. Moreover, it develops a multi-metapath heterogeneous graph attention network to learn multi-level embeddings of different types of nodes and their metapaths in the heterogeneous contract graphs, which can capture the code semantics of smart contracts more accurately and facilitate both fine-grained line-level and coarse-grained contract-level vulnerability detection. Our extensive evaluation of large smart contract datasets shows that MANDO improves the vulnerability detection results of other techniques at the coarse-grained contract level. More importantly, it is the first learning-based approach capable of identifying vulnerabilities at the fine-grained line-level, and significantly improves the traditional code analysis-based vulnerability detection approaches by 11.35% to 70.81% in terms of F1-score.",

keywords = "Ethereum blockchain, graph embedding, graph neural networks, heterogeneous graphs, smart contracts, vulnerability detection",

author = "Nguyen, {Hoang H.} and Nguyen, {Nhat Minh} and Chunyao Xie and Zahra Ahmadi and Daniel Kudendo and Doan, {Thanh Nam} and Lingxiao Jiang",

note = "Funding Information: This work was supported by the European Unions Horizon 2020 research and innovation program under grant agreement No. 833635 (project ROXANNE: Real-time network, text, and speaker analytics for combating organized crime, 2019-2022) and by the Singapore Ministry of Education (MOE) Academic Research Fund (AcRF) Tier 1 grant ; 9th IEEE International Conference on Data Science and Advanced Analytics, DSAA 2022 ; Conference date: 13-10-2022 Through 16-10-2022",

year = "2022",

doi = "10.1109/DSAA54385.2022.10032337",

language = "English",

isbn = "978-1-6654-7331-6",

editor = "Huang, {Joshua Zhexue} and Yi Pan and Barbara Hammer and Khan, {Muhammad Khurram} and Xing Xie and Laizhong Cui and Yulin He",

booktitle = "2022 IEEE 9th International Conference on Data Science and Advanced Analytics",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

address = "United States",

}

Nguyen, HH, Nguyen, NM, Xie, C, Ahmadi, Z, Kudendo, D, Doan, TN & Jiang, L 2022, MANDO: Multi-Level Heterogeneous Graph Embeddings for Fine-Grained Detection of Smart Contract Vulnerabilities. in JZ Huang, Y Pan, B Hammer, MK Khan, X Xie, L Cui & Y He (Hrsg.), 2022 IEEE 9th International Conference on Data Science and Advanced Analytics: (DSAA). Institute of Electrical and Electronics Engineers Inc., 9th IEEE International Conference on Data Science and Advanced Analytics, DSAA 2022, Shenzhen, China, 13 Okt. 2022. https://doi.org/10.1109/DSAA54385.2022.10032337

MANDO: Multi-Level Heterogeneous Graph Embeddings for Fine-Grained Detection of Smart Contract Vulnerabilities. / Nguyen, Hoang H.; Nguyen, Nhat Minh; Xie, Chunyao et al.
2022 IEEE 9th International Conference on Data Science and Advanced Analytics: (DSAA). Hrsg. / Joshua Zhexue Huang; Yi Pan; Barbara Hammer; Muhammad Khurram Khan; Xing Xie; Laizhong Cui; Yulin He. Institute of Electrical and Electronics Engineers Inc., 2022.

Publikation: Beitrag in Buch/Bericht/Sammelwerk/Konferenzband › Aufsatz in Konferenzband › Forschung › Peer-Review

TY - GEN

T1 - MANDO

T2 - 9th IEEE International Conference on Data Science and Advanced Analytics, DSAA 2022

AU - Nguyen, Hoang H.

AU - Nguyen, Nhat Minh

AU - Xie, Chunyao

AU - Ahmadi, Zahra

AU - Kudendo, Daniel

AU - Doan, Thanh Nam

AU - Jiang, Lingxiao

N1 - Funding Information: This work was supported by the European Unions Horizon 2020 research and innovation program under grant agreement No. 833635 (project ROXANNE: Real-time network, text, and speaker analytics for combating organized crime, 2019-2022) and by the Singapore Ministry of Education (MOE) Academic Research Fund (AcRF) Tier 1 grant

PY - 2022

Y1 - 2022

N2 - Learning heterogeneous graphs consisting of different types of nodes and edges enhances the results of homogeneous graph techniques. An interesting example of such graphs is control-flow graphs representing possible software code execution flows. As such graphs represent more semantic information of code, developing techniques and tools for such graphs can be highly beneficial for detecting vulnerabilities in software for its reliability. However, existing heterogeneous graph techniques are still insufficient in handling complex graphs where the number of different types of nodes and edges is large and variable. This paper concentrates on the Ethereum smart contracts as a sample of software codes represented by heterogeneous contract graphs built upon both control-flow graphs and call graphs containing different types of nodes and links. We propose MANDO, a new heterogeneous graph representation to learn such heterogeneous contract graphs' structures. MANDO extracts customized meta-paths, which compose relational connections between different types of nodes and their neighbors. Moreover, it develops a multi-metapath heterogeneous graph attention network to learn multi-level embeddings of different types of nodes and their metapaths in the heterogeneous contract graphs, which can capture the code semantics of smart contracts more accurately and facilitate both fine-grained line-level and coarse-grained contract-level vulnerability detection. Our extensive evaluation of large smart contract datasets shows that MANDO improves the vulnerability detection results of other techniques at the coarse-grained contract level. More importantly, it is the first learning-based approach capable of identifying vulnerabilities at the fine-grained line-level, and significantly improves the traditional code analysis-based vulnerability detection approaches by 11.35% to 70.81% in terms of F1-score.

AB - Learning heterogeneous graphs consisting of different types of nodes and edges enhances the results of homogeneous graph techniques. An interesting example of such graphs is control-flow graphs representing possible software code execution flows. As such graphs represent more semantic information of code, developing techniques and tools for such graphs can be highly beneficial for detecting vulnerabilities in software for its reliability. However, existing heterogeneous graph techniques are still insufficient in handling complex graphs where the number of different types of nodes and edges is large and variable. This paper concentrates on the Ethereum smart contracts as a sample of software codes represented by heterogeneous contract graphs built upon both control-flow graphs and call graphs containing different types of nodes and links. We propose MANDO, a new heterogeneous graph representation to learn such heterogeneous contract graphs' structures. MANDO extracts customized meta-paths, which compose relational connections between different types of nodes and their neighbors. Moreover, it develops a multi-metapath heterogeneous graph attention network to learn multi-level embeddings of different types of nodes and their metapaths in the heterogeneous contract graphs, which can capture the code semantics of smart contracts more accurately and facilitate both fine-grained line-level and coarse-grained contract-level vulnerability detection. Our extensive evaluation of large smart contract datasets shows that MANDO improves the vulnerability detection results of other techniques at the coarse-grained contract level. More importantly, it is the first learning-based approach capable of identifying vulnerabilities at the fine-grained line-level, and significantly improves the traditional code analysis-based vulnerability detection approaches by 11.35% to 70.81% in terms of F1-score.

KW - Ethereum blockchain

KW - graph embedding

KW - graph neural networks

KW - heterogeneous graphs

KW - smart contracts

KW - vulnerability detection

UR - http://www.scopus.com/inward/record.url?scp=85143075291&partnerID=8YFLogxK

U2 - 10.1109/DSAA54385.2022.10032337

DO - 10.1109/DSAA54385.2022.10032337

M3 - Conference contribution

AN - SCOPUS:85143075291

SN - 978-1-6654-7331-6

BT - 2022 IEEE 9th International Conference on Data Science and Advanced Analytics

A2 - Huang, Joshua Zhexue

A2 - Pan, Yi

A2 - Hammer, Barbara

A2 - Khan, Muhammad Khurram

A2 - Xie, Xing

A2 - Cui, Laizhong

A2 - He, Yulin

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 13 October 2022 through 16 October 2022

ER -

Nguyen HH, Nguyen NM, Xie C, Ahmadi Z, Kudendo D, Doan TN et al. MANDO: Multi-Level Heterogeneous Graph Embeddings for Fine-Grained Detection of Smart Contract Vulnerabilities. in Huang JZ, Pan Y, Hammer B, Khan MK, Xie X, Cui L, He Y, Hrsg., 2022 IEEE 9th International Conference on Data Science and Advanced Analytics: (DSAA). Institute of Electrical and Electronics Engineers Inc. 2022 doi: 10.1109/DSAA54385.2022.10032337

MANDO: Multi-Level Heterogeneous Graph Embeddings for Fine-Grained Detection of Smart Contract Vulnerabilities

Abstract

Konferenz

ASJC Scopus Sachgebiete

Zugriff auf Dokument

Andere Dateien und Links

Publikationen

Graph representation learning for security analytics in decentralized software systems and social networks

Dieses zitieren