MANDO: Multi-level heterogeneous graph embeddings for fine-grained detection of smart contract vulnerabilities

Author

Huu Hoang NGUYEN, Singapore Management UniversityFollow
Nhat Minh NGUYEN, Singapore Management UniversityFollow
Chunyao XIE
Zahra AHMADI
Daniel KUDENKO
Thanh Nam DOAN, Singapore Management UniversityFollow
Lingxiao JIANG, Singapore Management UniversityFollow

Publication Type

Conference Proceeding Article

Version

submittedVersion

Publication Date

10-2022

Abstract

Learning heterogeneous graphs consisting of different types of nodes and edges enhances the results of homogeneous graph techniques. An interesting example of such graphs is control-flow graphs representing possible software code execution flows. As such graphs represent more semantic information of code, developing techniques and tools for such graphs can be highly beneficial for detecting vulnerabilities in software for its reliability. However, existing heterogeneous graph techniques are still insufficient in handling complex graphs where the number of different types of nodes and edges is large and variable. This paper concentrates on the Ethereum smart contracts as a sample of software codes represented by heterogeneous contract graphs built upon both control-flow graphs and call graphs containing different types of nodes and links. We propose MANDO, a new heterogeneous graph representation to learn such heterogeneous contract graphs' structures. MANDO extracts customized metapaths, which compose relational connections between different types of nodes and their neighbors. Moreover, it develops a multi-metapath heterogeneous graph attention network to learn multi-level embeddings of different types of nodes and their metapaths in the heterogeneous contract graphs, which can capture the code semantics of smart contracts more accurately and facilitate both fine-grained line-level and coarse-grained contract-level vulnerability detection. Our extensive evaluation of large smart contract datasets shows that MANDO improves the vulnerability detection results of other techniques at the coarse-grained contract level. More importantly, it is the first learning-based approach capable of identifying vulnerabilities at the fine-grained line-level, and significantly improves the traditional code analysis-based vulnerability detection approaches by 11.35% to 70.81% in terms of F1-score.

Keywords

heterogeneous graphs, graph embedding, graph neural networks, vulnerability detection, smart contracts, Ethereum blockchain

Discipline

Information Security | Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

Proceedings of the 9th IEEE International Conference on Data Science and Advanced Analytics

Identifier

10.48550/arXiv.2208.13252

Publisher

IEEE

City or Country

Virtual Event

Citation

NGUYEN, Huu Hoang; NGUYEN, Nhat Minh; XIE, Chunyao; AHMADI, Zahra; KUDENKO, Daniel; DOAN, Thanh Nam; and JIANG, Lingxiao. MANDO: Multi-level heterogeneous graph embeddings for fine-grained detection of smart contract vulnerabilities. (2022). Proceedings of the 9th IEEE International Conference on Data Science and Advanced Analytics.
Available at: https://ink.library.smu.edu.sg/sis_research/7627

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

http://doi.org/10.48550/arXiv.2208.13252