结合多视角图表示与边类型信息的源代码漏洞检测方法

doi:10.19678/j.issn.1000-3428.0253434

摘要/Abstract

摘要： 开源生态系统的快速发展加速了软件漏洞的传播，对信息安全构成了重大威胁，基于序列的深度学习方法在建模源代码的结构特征方面存在不足，而现有基于图神经网络的漏洞检测方法存在难以充分融合拓扑结构以及节点特征的问题。为应对这一挑战及解决现有基于深度学习方法的局限性，提出了一种结合多视角图表示与边类型信息的源代码漏洞检测方法（MVGE-Net）。在该方法中，源代码首先被转换为图表示，之后根据图中节点包含语义程度的不同，使用不同的预训练模型获取图嵌入，并从不同视角构建拓扑图、特征图和共享图以捕获互补信息，同时将边类型信息整合到节点特征中以增强模型表示能力。最后，通过轻量级门控机制融合提取的特征，并生成最终的漏洞预测结果。在两个基准数据集上的实验表明，MVGE-Net在准确率、精确率、召回率和F1值上均优于基线模型，其中，在FFMPeg+Qemu数据集上，MVGE-Net比经典基线方法（Devign）提升了9.14、9.13、1.75和5.74个百分点，定性与定量分析均验证了所提方法的有效性。总体而言，MVGE-Net有效克服了现有基于图神经网络方法的局限性，为漏洞检测任务提供了一种更为鲁棒且高效的解决方案。

Abstract: The rapid growth of the open-source ecosystem has accelerated the spread of software vulnerabilities, posing significant threats to information security. Sequence-based deep learning methods struggle to capture the structural characteristics of source code, while existing graph neural network–based approaches struggle to sufficiently integrate topological structures with node features. To address these challenges and overcome the limitations of current deep learning–based techniques, we propose MVGE-Net, a source code vulnerability detection method that integrates multi-view graph representations with edge-type information.In MVGE-Net, source code is first transformed into a graph representation. Then, depending on the semantic richness of the nodes, different pretrained models are utilized to obtain node embeddings. Subsequently, topology graphs, feature graphs, and shared graphs are constructed from multiple perspectives to capture complementary information. Meanwhile, edge-type information is incorporated into node features to enhance representational capability. Finally, a lightweight gating mechanism fuses the extracted features to generate the final vulnerability prediction.Experiments conducted on two benchmark datasets show that our method achieves improvements of 9.14, 9.13, 1.75, and 5.74 percentage points in Accuracy, Precision, Recall, and F1 score, respectively, compared with the baseline method Devign.Both qualitative and quantitative analyses confirm the effectiveness of the proposed approach. Overall, MVGE-Net successfully addresses the limitations of existing GNN-based methods and provides a more robust and efficient solution for vulnerability detection.

黄安博, 曲海成. 结合多视角图表示与边类型信息的源代码漏洞检测方法[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0253434.

Anbo Huang, Haicheng Qu. A Source Code Vulnerability Detection Method Based on Multi-View Graph Representations and Edge-Type Information[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0253434.

参考文献

[1] GITHUB. The 2024 GitHub Octoverse[EB/OL]. [2024-12-18].https://github.blog/news-insights/octoverse/octoverse-2024/.
[2] Yamaguchi F , Wressnegger C , Gascon H ,et al.Chucky: exposing missing checks in source code for vulnerability discovery[J].ACM, 2013.DOI:10.1145/2508859.2516665.
[3] Du X , Chen B , Li Y ,et al.LEOPARD: Identifying Vulnerable Code for Vulnerability Assessment through ProgramMetrics[J]. 2019.DOI:10.1109/ICSE.2019.00024.
[4] Xu Z , Chen B , Chandramohan M ,et al.SPAIN: Security Patch Analysis for Binaries towards Understanding the Pain and Pills[J].IEEE, 2017.DOI:10.1109/ICSE.2017.49.
[5] 苏小红，郑伟宁，蒋远，等。基于学习的源代码漏洞检测研究与进展[J]。计算机学报， 2024,47(2):337-374.DOI:10.11897/SP.J.1016.2024.00337.Su Xiaohong, Zheng Weining,Jiang Yuan,et al.Research and Advances in Learning-Based Source Code Vulnerability Detection[J].Chinese Journal of Computers,2024,47(2):337-374.DOI:10.11897/SP.J.1016.2024.00337.
[6] Zhou Y, Liu S Q, Siow J, et al. Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks[C]//Proceedings of the 33rd International Conference on Neural Information Processing Systems. Red Hook, NY: Curran Associates Inc., 2019: 10197-10207.
[7] CHURCH, Ward K .Word2Vec[J].Natural Language Engineering, 2017, 23(01):155-162.DOI:10.1017/S1351324916000334.
[8] Russell R L,Kim L,Hamilton L H,et al.Automated Vulnerability Detection in Source Code Using Deep RepresentationLearning[J].IEEE,2018.DOI:10.1109/ICMLA.2018.00120.
[9] A H Y,A S L,A L P,et al.HAN-BSVD:a Hierarchical Attention Network for Binary Software Vulnerability Detection[J].Computers & Security,2021.DOI:10.1016/j.cose.2021.102286.
[10] Hovsepyan A,Scandariato R,Joosen W,et al.Software Vulnerability Prediction using Text Analysis Techniques[C]//International Workshop on Security Measurements and Metrics.2012.DOI:10.1145/2372225.2372230.
[11] Zhao Z , Yang B , Li G ,et al.Precise Learning of Source Code Contextual Semantics via Hierarchical Dependence Structure and Graph Attention Networks[J].Journal of Systems and Software, 2022.DOI:10.1016/J.JSS.2021.111108.
[12] Cheng X , Wang H , Hua J ,et al.Static Detection of Control-Flow-Related Vulnerabilities Using Graph Embedding[J].IEEE, 2019.DOI:10.1109/ICECCS.2019.00012.
[13] Guo D , Ren S , Lu S ,et al.GraphCodeBERT: Pre-training Code Representations with Data Flow[J]. 2020.DOI:10.48550/arXiv.2009.08366.
[14] Steenhoek B , Gao H , Le W .Dataflow Analysis-Inspired Deep Learning for Efficient Vulnerability Detection[J].IEEE, 2022.DOI:10.1145/3597503.3623345.
[15] Scarselli F,Gori M,Tsoi A C,et al.The Graph Neural Network Model[J].IEEE Transactions on Neural Networks, 2009, 20(1):61.DOI:10.1109/TNN.2008.2005605.
[16] Krizhevsky A,Sutskever I, Hinton G E. ImageNet classification with deep convolutional neural networks[J]. Communications of the ACM, 2017, 60(6): 84-90.
[17] Mikolov T, Zweig G.Context dependent recurrent neural network language model[C]//Spoken Language Technology Workshop.IEEE, 2013.DOI:10.1109/SLT.2012.6424228.
[18] Hochreiter S,Schmidhuber J.Long Short-Term Memory[J].Neural Computation,1997,9(8):1735-1780.DOI:10.1162/neco.1997.9.8.1735.
[19] Vaswani A, Shazeer N, Parmar N, et al. Attention is all you need[C]//Proceedings of the 31st International Conference on Neural Information Processing Systems. Red Hook, NY: Curran Associates Inc., 2017: 6000-6010.
[20] Thapa C , Jang S I , Ahmed M E ,et al.Transformer-Based Language Models for Software Vulnerability Detection[J]. 2022.DOI:10.1145/3564625.3567985.
[21] Devlin J , Chang M W , Lee K ,et al.BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding[J].ArXiv, 2019, abs/1810.04805.DOI:10.18653/v1/N19-1423.
[22] 罗乐琦,张艳硕,王志强,等.基于BERT模型的源代码漏洞检测技术研究[J].信息安全研究, 2024(004):010.DOI:10.12379/j.issn.2096-1057.2024.04.02.LUO L Q, ZHANG Y S, WANG Z Q, et al. Research on source code vulnerability detection technology based on BERT model[J]. Journal of Information Security Research, 2024(4): 010.
[23] Chakraborty S,Krishna R,Ding Y,et al.Deep Learning based Vulnerability Detection:Are We There Yet[J].IEEE Transactions on Software Engineering,2021(01).DOI:10.1109/TSE.2021.3087402.
[24] Wang H , Ye G , Tang Z ,et al.Combining Graph-Based Learning With Automated Data Collection for Code Vulnerability Detection[J].IEEE Transactions on Information Forensics and Security, 2020, PP(99).DOI:10.1109/TIFS.2020.3044773.
[25] 文敏,王荣存,姜淑娟.基于关系图卷积网络的源代码漏洞检测[J].计算机应用, 2022, 42(6):8.DOI:10.11772/j.issn.1001-9081.2021091691.WEN M, WANG R C, JIANG S J. Source code vulnerability detection based on relational graph convolutional network[J]. Journal of Computer Applications, 2022, 42(6): 8.
[26] Li Y , Wang S , Nguyen T N .Vulnerability Detection with Fine-grained Interpretations[J]. 2021.DOI:10.1145/3468264.3468597.
[27] Li M, Li C F, Li S L, et al. ACGVD: Vulnerability detection based on comprehensive graph via graph neural network with attention[C]//Information and Communications Security: 23rd International Conference, ICICS 2021. Cham: Springer, 2021: 243-259.
[28] Ghaffarian S M , Shahriari H R .Neural Software Vulnerability Analysis using Rich Intermediate Graph Representations of Programs[J].Information Sciences, 2020.DOI:10.1016/j.ins.2020.11.053.
[29] NGUYEN V A, NGUYEN D Q, NGUYEN V, et al. ReGVD: Revisiting graph neural networks for vulnerability detection[C]//2022 IEEE/ACM 44th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion). New York, USA: ACM, 2022: 178-182.
[30] JOERN. The Bug Hunter's Workbench[EB/OL]. [2025-09-08].https://joern.io/.
[31] Moghadasi M N , Zhuang Y .Sent2Vec: A New Sentence Embedding Representation With Sentimental Semantic[J].IEEE, 2020.DOI:10.1109/BigData50022.2020.9378337.
[32] Li Z , Zou D , Xu S ,et al.VulDeePecker: A Deep Learning-Based System for Vulnerability Detection[C]//Network and Distributed System Security Symposium.2018.DOI:10.14722/ndss.2018.23165.
[33] Li Z,Zou D,Xu S ,et al.SySeVR:A Framework for Using Deep Learning to Detect Software Vulnerabilities[J].IEEE Transactions on Dependable and Secure Computing,2021,PP(99):1-1.DOI:10.1109/TDSC.2021.3051525.
[34] Wen X C,Chen Y,Gao C,et al.Vulnerability detection with graph simplification and enhanced graph representation learning[C]//Proceedings of the 45th International Conference on Software Engineering. Melbourne, Australia: IEEE, 2023: 2275-2286.
[35] Ling M , Tang M , Bian D ,et al.A dual graph neural networks model using sequence embedding as graph nodes for vulnerability detection[J].Information and Software Technology, 2025, 177(000).DOI:10.1016/j.infsof.2024.107581.
[36] Liu R , Wang Y , Xu H ,et al.Vul-LMGNNs: Fusing language models and online-distilled graph neural networks for code vulnerability detection[J].Information Fusion, 2025, 115(000).DOI:10.1016/j.inffus.2024.102748.

选择文件类型/文献管理软件名称

选择包含的内容