Vulnerability detection with Graph Attention Network and Metric Learning

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology Pub Date : 2025-07-02 DOI:10.1016/j.infsof.2025.107826

Chunyong Zhang , Liangwei Yao , Yang Xin

{"title":"Vulnerability detection with Graph Attention Network and Metric Learning","authors":"Chunyong Zhang , Liangwei Yao , Yang Xin","doi":"10.1016/j.infsof.2025.107826","DOIUrl":null,"url":null,"abstract":"<div><h3>Context:</h3><div>Static code vulnerability detection is a critical topic in software security. Researchers are interested in employing deep learning to discover vulnerabilities automatically. However, existing software analysis methods have a high rate of false positives and false negatives.</div></div><div><h3>Objective:</h3><div>High false negatives and high false positives may be caused by the problem of insufficient extraction of syntax and semantics, data imbalance, and overlapping feature distributions. Based on the above problems, we construct a vulnerability detection model GSM, which is a loosely coupled method based on the combination of <strong><u>G</u></strong>raph Attention Network, <strong><u>S</u></strong>ampling, and <strong><u>M</u></strong>etric Learning.</div></div><div><h3>Method:</h3><div>Firstly, we utilize the code property graph to represent source code and use graph attention networks for graph embedding learning. Secondly, we adopt a combination of oversampling and undersampling to deal with imbalanced dataset. Finally, we adopt a Metric Learning method based on the quadruple loss function to separate vulnerable and neutral samples.</div></div><div><h3>Results:</h3><div>Compared to the state-of-the-art method Reveal on the imbalanced dataset chrdeb, the performance of Precision, Recall, and F1-Score are improved by about 11.5%, 12.4%, and 12.7%, respectively.</div></div><div><h3>Conclusion:</h3><div>Under different datasets, GSM has shown better performance than state-of-the-art vulnerability detection methods in multiple metrics. GSM can resolve the problem of data imbalance and the inability to separate the two types of samples.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"186 ","pages":"Article 107826"},"PeriodicalIF":3.8000,"publicationDate":"2025-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Software Technology","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S095058492500165X","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Context:

Static code vulnerability detection is a critical topic in software security. Researchers are interested in employing deep learning to discover vulnerabilities automatically. However, existing software analysis methods have a high rate of false positives and false negatives.

Objective:

High false negatives and high false positives may be caused by the problem of insufficient extraction of syntax and semantics, data imbalance, and overlapping feature distributions. Based on the above problems, we construct a vulnerability detection model GSM, which is a loosely coupled method based on the combination of Graph Attention Network, Sampling, and Metric Learning.

Method:

Firstly, we utilize the code property graph to represent source code and use graph attention networks for graph embedding learning. Secondly, we adopt a combination of oversampling and undersampling to deal with imbalanced dataset. Finally, we adopt a Metric Learning method based on the quadruple loss function to separate vulnerable and neutral samples.

Results:

Compared to the state-of-the-art method Reveal on the imbalanced dataset chrdeb, the performance of Precision, Recall, and F1-Score are improved by about 11.5%, 12.4%, and 12.7%, respectively.

Conclusion:

Under different datasets, GSM has shown better performance than state-of-the-art vulnerability detection methods in multiple metrics. GSM can resolve the problem of data imbalance and the inability to separate the two types of samples.

查看原文本刊更多论文

基于图注意网络和度量学习的漏洞检测

背景：静态代码漏洞检测是软件安全领域的一个重要课题。研究人员对利用深度学习自动发现漏洞很感兴趣。然而，现有的软件分析方法存在较高的假阳性和假阴性率。目的：高假阴性和高假阳性可能是由于句法语义提取不足、数据不平衡、特征分布重叠等问题造成的。基于以上问题，我们构建了一种基于图注意网络、采样和度量学习相结合的松散耦合方法——漏洞检测模型GSM。方法：首先利用代码属性图表示源代码，并利用图关注网络进行图嵌入学习。其次，采用过采样和欠采样相结合的方法处理不平衡数据集。最后，采用基于四重损失函数的度量学习方法分离脆弱样本和中性样本。结果：在不平衡数据集chrdeb上，与最先进的Reveal方法相比，Precision、Recall和F1-Score的性能分别提高了11.5%、12.4%和12.7%。结论：在不同的数据集下，GSM在多个指标上都比现有的漏洞检测方法表现出更好的性能。GSM可以解决数据不平衡和两类样本无法分离的问题。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Information and Software Technology 工程技术-计算机：软件工程

CiteScore

9.10

自引率

7.70%

发文量

164

审稿时长

9.6 weeks

期刊介绍： Information and Software Technology is the international archival journal focusing on research and experience that contributes to the improvement of software development practices. The journal''s scope includes methods and techniques to better engineer software and manage its development. Articles submitted for review should have a clear component of software engineering or address ways to improve the engineering and management of software development. Areas covered by the journal include: • Software management, quality and metrics, • Software processes, • Software architecture, modelling, specification, design and programming • Functional and non-functional software requirements • Software testing and verification & validation • Empirical studies of all aspects of engineering and managing software development Short Communications is a new section dedicated to short papers addressing new ideas, controversial opinions, "Negative" results and much more. Read the Guide for authors for more information. The journal encourages and welcomes submissions of systematic literature studies (reviews and maps) within the scope of the journal. Information and Software Technology is the premiere outlet for systematic literature studies in software engineering.