Search

Your search keyword '"Wu, Xiaoxue"' showing total 470 results
Start Over Author "Wu, Xiaoxue"
470 results on '"Wu, Xiaoxue"'

1. Coca: Improving and Explaining Graph Neural Network-Based Vulnerability Detection Systems

Author

Cao, Sicong, Sun, Xiaobing, Wu, Xiaoxue, Lo, David, Bo, Lili, Li, Bin, and Liu, Wei

Subjects
Computer Science - Cryptography and Security, Computer Science - Software Engineering
Abstract

Recently, Graph Neural Network (GNN)-based vulnerability detection systems have achieved remarkable success. However, the lack of explainability poses a critical challenge to deploy black-box models in security-related domains. For this reason, several approaches have been proposed to explain the decision logic of the detection model by providing a set of crucial statements positively contributing to its predictions. Unfortunately, due to the weakly-robust detection models and suboptimal explanation strategy, they have the danger of revealing spurious correlations and redundancy issue. In this paper, we propose Coca, a general framework aiming to 1) enhance the robustness of existing GNN-based vulnerability detection models to avoid spurious explanations; and 2) provide both concise and effective explanations to reason about the detected vulnerabilities. \sysname consists of two core parts referred to as Trainer and Explainer. The former aims to train a detection model which is robust to random perturbation based on combinatorial contrastive learning, while the latter builds an explainer to derive crucial code statements that are most decisive to the detected vulnerability via dual-view causal inference as explanations. We apply Coca over three typical GNN-based vulnerability detectors. Experimental results show that Coca can effectively mitigate the spurious correlation issue, and provide more useful high-quality explanations., Comment: To appear in the Technical Track of ICSE 2024

Published
2024

2. A Systematic Literature Review on Explainability for Machine/Deep Learning-based Software Engineering Research

Author

Cao, Sicong, Sun, Xiaobing, Widyasari, Ratnadira, Lo, David, Wu, Xiaoxue, Bo, Lili, Zhang, Jiale, Li, Bin, Liu, Wei, Wu, Di, and Chen, Yixin

Subjects
Computer Science - Software Engineering, Computer Science - Artificial Intelligence
Abstract

The remarkable achievements of Artificial Intelligence (AI) algorithms, particularly in Machine Learning (ML) and Deep Learning (DL), have fueled their extensive deployment across multiple sectors, including Software Engineering (SE). However, due to their black-box nature, these promising AI-driven SE models are still far from being deployed in practice. This lack of explainability poses unwanted risks for their applications in critical tasks, such as vulnerability detection, where decision-making transparency is of paramount importance. This paper endeavors to elucidate this interdisciplinary domain by presenting a systematic literature review of approaches that aim to improve the explainability of AI models within the context of SE. The review canvasses work appearing in the most prominent SE & AI conferences and journals, and spans 63 papers across 21 unique SE tasks. Based on three key Research Questions (RQs), we aim to (1) summarize the SE tasks where XAI techniques have shown success to date; (2) classify and analyze different XAI techniques; and (3) investigate existing evaluation approaches. Based on our findings, we identified a set of challenges remaining to be addressed in existing studies, together with a roadmap highlighting potential opportunities we deemed appropriate and important for future work., Comment: submitted to ACM Computing Surveys. arXiv admin note: text overlap with arXiv:2202.06840 by other authors

Published
2024

4. ODDFUZZ: Discovering Java Deserialization Vulnerabilities via Structure-Aware Directed Greybox Fuzzing

Author

Cao, Sicong, He, Biao, Sun, Xiaobing, Ouyang, Yu, Zhang, Chao, Wu, Xiaoxue, Su, Ting, Bo, Lili, Li, Bin, Ma, Chuanlei, Li, Jiajia, and Wei, Tao

Subjects
Computer Science - Cryptography and Security
Abstract

Java deserialization vulnerability is a severe threat in practice. Researchers have proposed static analysis solutions to locate candidate vulnerabilities and fuzzing solutions to generate proof-of-concept (PoC) serialized objects to trigger them. However, existing solutions have limited effectiveness and efficiency. In this paper, we propose a novel hybrid solution ODDFUZZ to efficiently discover Java deserialization vulnerabilities. First, ODDFUZZ performs lightweight static taint analysis to identify candidate gadget chains that may cause deserialization vulner-abilities. In this step, ODDFUZZ tries to locate all candidates and avoid false negatives. Then, ODDFUZZ performs directed greybox fuzzing (DGF) to explore those candidates and generate PoC testcases to mitigate false positives. Specifically, ODDFUZZ applies a structure-aware seed generation method to guarantee the validity of the testcases, and adopts a novel hybrid feedback and a step-forward strategy to guide the directed fuzzing. We implemented a prototype of ODDFUZZ and evaluated it on the popular Java deserialization repository ysoserial. Results show that, ODDFUZZ could discover 16 out of 34 known gadget chains, while two state-of-the-art baselines only identify three of them. In addition, we evaluated ODDFUZZ on real-world applications including Oracle WebLogic Server, Apache Dubbo, Sonatype Nexus, and protostuff, and found six previously unreported exploitable gadget chains with five CVEs assigned., Comment: To appear in the Main Track of IEEE S&P 2023

Published
2023

5. Improving Java Deserialization Gadget Chain Mining via Overriding-Guided Object Generation

Author

Cao, Sicong, Sun, Xiaobing, Wu, Xiaoxue, Bo, Lili, Li, Bin, Wu, Rongxin, Liu, Wei, He, Biao, Ouyang, Yu, and Li, Jiajia

Subjects
Computer Science - Cryptography and Security, Computer Science - Software Engineering
Abstract

Java (de)serialization is prone to causing security-critical vulnerabilities that attackers can invoke existing methods (gadgets) on the application's classpath to construct a gadget chain to perform malicious behaviors. Several techniques have been proposed to statically identify suspicious gadget chains and dynamically generate injection objects for fuzzing. However, due to their incomplete support for dynamic program features (e.g., Java runtime polymorphism) and ineffective injection object generation for fuzzing, the existing techniques are still far from satisfactory. In this paper, we first performed an empirical study to investigate the characteristics of Java deserialization vulnerabilities based on our manually collected 86 publicly known gadget chains. The empirical results show that 1) Java deserialization gadgets are usually exploited by abusing runtime polymorphism, which enables attackers to reuse serializable overridden methods; and 2) attackers usually invoke exploitable overridden methods (gadgets) via dynamic binding to generate injection objects for gadget chain construction. Based on our empirical findings, we propose a novel gadget chain mining approach, \emph{GCMiner}, which captures both explicit and implicit method calls to identify more gadget chains, and adopts an overriding-guided object generation approach to generate valid injection objects for fuzzing. The evaluation results show that \emph{GCMiner} significantly outperforms the state-of-the-art techniques, and discovers 56 unique gadget chains that cannot be identified by the baseline approaches., Comment: To appear in the Technical Track of ICSE 2023

Published
2023

35. Multiple Dynamic Hydrogen Bonding Networks Boost the Mechanical Stability of Flexible Perovskite Solar Cells.

Author

Zhu, Siyuan, Jin, Xi, Tan, Wenyan, Zhang, Yu, Zhao, Guijie, Wang, Xinyue, Yang, Yuxuan, Zhou, Chao, Tang, Zhaoheng, Wu, Xiaoxue, Gong, Xueyuan, Zhu, Cheng, Chen, Qi, Liu, Zonghao, Song, Peng, Li, Minghua, Hu, Jinsong, Liang, Qijie, Ding, Yong, and Jiang, Yan

Abstract

Flexible perovskite solar cells often experience constant or cyclic bending during their service life. Catastrophic failure of devices may occur due to the crack of polycrystalline perovskite films and delamination at the perovskite and the substrate interfaces, posing a significant stability concern. Here, a multiple dynamic hydrogen bonding polymer network is developed to enhance the mechanical strength of flexible perovskite solar cells in two ways. The main chain of poly(acrylic acid) decreases the mismatch of the coefficient of thermal expansion between the perovskite and the substrate by 16.7% through its flexibility and spatial occupation. The dopamine branch chains provide multiple dynamic hydrogen bonding sites, which contribute to increased energy dissipation upon stress deformation and reduce Young's modulus of perovskite by 54.3%. The inverted flexible perovskite solar cells achieve a champion power conversion efficiency of 23.02% and retain 81.3% of the initial PCE over 2000 h under continuous 1‐sun equivalent illumination. Moreover, devices show excellent mechanical stability by remaining 90.2% of the original value after 5000 bending cycles. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

37. The influence of different substrates on field emission properties of graphene-diamond composite films.

Author

WEI Qinghong, ZHANG Wen, GUAN Lei, WU Xiaoxue, LIU Huiqiang, WANG Jian, WANG Bing, and XIONG Ying

Abstract

Diamond film is considered as a promising field electron emitter cathode material due to the high thermal conductivity, negative electron affinity, low work function and long-term stability. It is difficult to peel off the diamond film without destroying its structural integrity after the diamond film is deposited on the substrate. Therefore, the diamond film and substrate are generally tested as a whole during the field emission properties measurement. However, there is an interface barrier between the substrate and the diamond film, and the influence of the interface barrier on the field emission properties can not be ignored. At present, there are relatively few studies on the influence of the interface between diamond film and substrate on field emission properties, which needs more attention and research. In this work, the graphene-diamond composite films are fabricated by microwave plasma chemical vapor deposition (MPCVD), which the single crystalline silicon, metal niobium and metal molybdenum are used as substrates, respectively. The microstructure and composition of graphene-diamond composite films were characterized and the field emission properties were studied. The results show that different substrates have significant effects on the field emission properties of the composite films. The composite films fabricated on metal niobium substrate show low turn on field (E0=2.5 V/μm) and high emission current density (J@5.3 V/μm=1.9 mA/cm2). This study provides a new idea for obtaining graphene-diamond composite films with better field emission properties. [ABSTRACT FROM AUTHOR]

Published
2024
Full Text
View/download PDF

49. Hierarchy-Aware Representation Learning for Industrial IoT Vulnerability Classification

Author

Cao, Sicong, Sun, Xiaobing, Yang, Xinye, Wu, Xiaoxue, Liu, Wei, and Li, Bin

Abstract

As with anything connected to the internet, industrial Internet of Things (IIoT) devices are also subject to severe cybersecurity threats because an adversary could exploit vulnerabilities in their internal software to perform malicious attacks. Despite the promising results of deep learning-based approaches, most solutions can only detect the presence of a vulnerability but fail to pinpoint its corresponding type. Recently, TreeVul formalizes the task as a hierarchical multilabel classification problem to predict complete coarse-to-fine vulnerability type hierarchy. Yet, the TreeVul approach is still inaccurate and neglects samples labeled at coarse categories. In this article, we propose HierVul, a novel hierarchy-aware representation learning approach for IIoT vulnerability classification. Specifically, to make full use of vulnerable samples labeled at any granularity, HierVul constructs hierarchy-specific extractors as well as classifiers to disentangle level-wise vulnerability features from the code representation learning network backbone, and maximizes their marginal probability in the probability space constrained by the Common Weakness Enumeration tree hierarchy. Furthermore, considering that the distinction between two vulnerability types at the same level of abstraction becomes smaller and smaller as the refinement of classification granularity, HierVul leverages residual connections to add parent-level coarser-grained features to child-level finer-grained features to transfer hierarchical knowledge across levels. The experimental results show that HierVul achieves 15.25%, 45.16%, and 14.52% relative improvement over TreeVul on Weight F1, Macro F1, and PF, respectively, indicating the effectiveness of HierVul in the practical scenario.

Published
2024
Full Text
View/download PDF

50. Characteristics and related mechanisms of the persistent extreme precipitation in August 2020 over Western China

Author

Ma Qianrong, Jia Fang, Wu Xiaoxue, Chang Youzhi, Zhi Rong, and Feng Guoling

Subjects
extreme precipitation, characteristics, mechanisms, Western China, South Asian high (SAH), Science
Abstract

The persistent heavy precipitation that occurred in most of West China (WC) during August 11–18, 2020, generated the highest rainfall record since recording began in 1961 and was selected as one of the top 10 worst national natural disasters of 2020 in China. Favorable circulation was sustained during August; WC was positioned between two anomalous high-pressure centers over the Tibetan Plateau and Sea of Japan and an anomalous low-pressure center over Mongolia located on its north side, which created a stable and long trough and formed a low-pressure center over WC. At 200 hPa, the subtropical westerly jet was much stronger than average and southward, and the South Asian High (SAH) was strong and extended eastward to 150°E. At 500 hPa, the western Pacific subtropical high (WPSH) was westward and exceptionally strong, which helped abundant water vapor reach the southeastern part of WC and provided favorable dynamic and thermodynamic conditions for precipitation in this region. In addition, the eastward extension of the SAH promotes the westward extension of WPSH, which collectively enhanced the precipitation in WC. At 850 hPa, the low-level jet corresponding to the west-extending subtropical high from the Sea of Japan to WC further enhanced and guided the water vapor transport to WC. In addition, the Mei-Yu front over the Yangtze River Basin in June and July strengthened the northwestward spread of diabatic heating, transient energy, and wave activity fluxes, which likely influenced the large-scale circulation factors and reinforced the precipitation in WC in August 2020.

Published
2022
Full Text
View/download PDF

Catalog

Books, media, physical & digital resources
See catalog results