In an increasingly interconnected and data-driven world, the importance of robust security measures cannot be overstated. A knowledge graph constructed with information extracted from the system along with the desired security behavior can be utilized to identify complex security vulnerabilities hidden underneath the systems. Unfortunately, existing security knowledge graphs are constructed from coarse-grained information extracted from publicly available vulnerability reports, which are not equipped to check actual security violations in real-world system implementations. In this poster, we present a novel approach of using Program Knowledge Graph that is embedded with fine-grained execution information of the systems (e.g., callgraph, data-flow, etc.) along with information extracted from the public vulnerability and weakness datasets (e.g., CVE and CWE). We further demonstrate that our custom security knowledge graph can be checked against the standard queries generated by LLM, providing a powerful way to identify security vulnerabilities and weaknesses in critical systems.

翻译：在日益互联且数据驱动的世界中，强大的安全措施的重要性不言而喻。利用从系统中提取的信息以及期望的安全行为构建的知识图谱，可用于识别隐藏于系统之下的复杂安全漏洞。然而，现有的安全知识图谱是基于从公开漏洞报告中提取的粗粒度信息构建的，无法用于检查真实系统实现中的实际安全违规。在本海报中，我们提出了一种新颖的方法：使用程序知识图谱，该图谱嵌入了系统的细粒度执行信息（例如调用图、数据流等），并结合从公共漏洞和弱点数据集（如CVE和CWE）中提取的信息。我们进一步证明，我们的定制安全知识图谱可以针对大语言模型生成的标准查询进行检查，从而为识别关键系统中的安全漏洞和弱点提供了一种强大手段。