Combining Machine Learning with Code Property Graphs
Congratulations to Prof. Dr. Konrad Rieck, Chair of the Machine Learning and Security group at BIFOLD/TU Berlin. Together with his former PhD student Fabian Yamaguchi and the entire team, Konrad Rieck won the Test-of-Time Award at the IEEE Symposium on Security and Privacy for their paper: "Modeling and Discovering Vulnerabilities with Code Property Graphs ".
In 2013, the team explored how machine learning can be used to find vulnerabilities in software. "When searching for bugs, it is helpful to view the software from different 'angles'. These views may allow for identifying errors in the structure of a program, in the way it processes data, or how it passes on control", explains Konrad Rieck. In the past, these views were mainly analyzed in isolation. In the awarded paper, the team presents a new combined representation called the Code Property Graph. The software's structure, control flow, and data flow are represented in a unified graph structure for analysis. "With our graphs, vulnerability patterns can be modeled across different views of software. This has significantly improved the search for vulnerabilities and is particularly useful for machine learning. A learning model can now learn patterns of insecure programming with much more flexibility," states Konrad Rieck. Recently, numerous methods have emerged combining machine learning with Code Property Graphs. To this day, their research produced a spin-off by Rieck's former PhD student Fabian Yamaguchi (qwiet.ai) and the open-source project Joern (https://joern.io).
The IEEE Symposium on Security and Privacy is the oldest and most important conference in computer security. Each year, the "Test-of-Time Award" is given to papers that significantly influenced research and can be described as groundbreaking. This year, two papers from 2014 were honored with the award.