Vul2image: A quick image-inspired and CNN-based vulnerability detection system

IF 7.5 1区计算机科学 Q1 COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE

Expert Systems with Applications Pub Date : 2026-05-25 Epub Date: 2026-02-04 DOI:10.1016/j.eswa.2026.131468

Rong Ren , Mushi Zhou , Ni Liao , Bing Zhang , Guoyan Huang , Haitao He , Qian Wang

{"title":"Vul2image: A quick image-inspired and CNN-based vulnerability detection system","authors":"Rong Ren , Mushi Zhou , Ni Liao , Bing Zhang , Guoyan Huang , Haitao He , Qian Wang","doi":"10.1016/j.eswa.2026.131468","DOIUrl":null,"url":null,"abstract":"<div><div>Given the accuracy of deep learning (DL) in image classification, some studies have applied DL algorithms to vulnerability detection by characterizing software source code as RGB images. However, effectively utilizing RGB images to store multiple code semantics remains a challenge, impacting the effectiveness of vulnerability detection. To address this, we developed Vul2image, a quick Image-inspired and CNN-based Vulnerability Detection System. By focusing on Potential Vulnerable Code Fragments (PVCFs) and their context code, Vul2image minimized interference from irrelevant information and achieved comprehensive coverage of vulnerability features. It constructed an RGB fine-grained image model incorporating textual, semantic, and structural information from code text, Control Dependency Graphs (CDGs), and Data Dependency Graphs (DDGs), resulting in improved detection efficiency. Evaluated on three datasets with increasing vulnerability types (including our self-collected, VulCNN, and Devign), Vul2image achieved the best results on our dataset, outperforming 9 classic (incl. 4 LLM-based) and 2 SOTA image-based detectors (VulCNN, VulGAI) and demonstrating performance comparable to 7 transformer-encoder-based methods, showing strong precision for specific vulnerability types. In practice, Vul2image was 35 times faster than VulCNN and successfully identified 21 reported and 5 unreported vulnerabilities in various real-world systems and software within 67,352,085 lines of code, showcasing its large-scale vulnerability detection capability.</div></div>","PeriodicalId":50461,"journal":{"name":"Expert Systems with Applications","volume":"312 ","pages":"Article 131468"},"PeriodicalIF":7.5000,"publicationDate":"2026-05-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Expert Systems with Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0957417426003817","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"2026/2/4 0:00:00","PubModel":"Epub","JCR":"Q1","JCRName":"COMPUTER SCIENCE, ARTIFICIAL INTELLIGENCE","Score":null,"Total":0}

引用次数: 0

Abstract

Given the accuracy of deep learning (DL) in image classification, some studies have applied DL algorithms to vulnerability detection by characterizing software source code as RGB images. However, effectively utilizing RGB images to store multiple code semantics remains a challenge, impacting the effectiveness of vulnerability detection. To address this, we developed Vul2image, a quick Image-inspired and CNN-based Vulnerability Detection System. By focusing on Potential Vulnerable Code Fragments (PVCFs) and their context code, Vul2image minimized interference from irrelevant information and achieved comprehensive coverage of vulnerability features. It constructed an RGB fine-grained image model incorporating textual, semantic, and structural information from code text, Control Dependency Graphs (CDGs), and Data Dependency Graphs (DDGs), resulting in improved detection efficiency. Evaluated on three datasets with increasing vulnerability types (including our self-collected, VulCNN, and Devign), Vul2image achieved the best results on our dataset, outperforming 9 classic (incl. 4 LLM-based) and 2 SOTA image-based detectors (VulCNN, VulGAI) and demonstrating performance comparable to 7 transformer-encoder-based methods, showing strong precision for specific vulnerability types. In practice, Vul2image was 35 times faster than VulCNN and successfully identified 21 reported and 5 unreported vulnerabilities in various real-world systems and software within 67,352,085 lines of code, showcasing its large-scale vulnerability detection capability.

查看原文本刊更多论文

Vul2image：基于cnn的快速图像漏洞检测系统

考虑到深度学习在图像分类中的准确性，一些研究通过将软件源代码表征为RGB图像，将深度学习算法应用于漏洞检测。然而，有效地利用RGB图像存储多种代码语义仍然是一个挑战，影响了漏洞检测的有效性。为了解决这个问题，我们开发了Vul2image，一个快速的图像启发和基于cnn的漏洞检测系统。通过关注潜在脆弱代码片段（pvcf）及其上下文代码，Vul2image最大限度地减少了不相关信息的干扰，实现了对漏洞特征的全面覆盖。它构建了一个RGB细粒度图像模型，结合了来自代码文本、控制依赖图（cdg）和数据依赖图（ddg）的文本、语义和结构信息，从而提高了检测效率。在三个漏洞类型不断增加的数据集（包括我们的自收集、VulCNN和Devign）上进行评估，Vul2image在我们的数据集上取得了最好的结果，优于9个经典（包括4个基于llm的）和2个基于SOTA图像的检测器（VulCNN、VulGAI），并展示了与7种基于变压器编码器的方法相当的性能，对特定漏洞类型显示出很强的精度。在实践中，Vul2image比VulCNN快35倍，在67,352,085行代码中成功识别了各种现实系统和软件中的21个报告漏洞和5个未报告漏洞，展示了其大规模漏洞检测能力。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Expert Systems with Applications 工程技术-工程：电子与电气

CiteScore

13.80

自引率

10.60%

发文量

2045

审稿时长

8.7 months

期刊介绍： Expert Systems With Applications is an international journal dedicated to the exchange of information on expert and intelligent systems used globally in industry, government, and universities. The journal emphasizes original papers covering the design, development, testing, implementation, and management of these systems, offering practical guidelines. It spans various sectors such as finance, engineering, marketing, law, project management, information management, medicine, and more. The journal also welcomes papers on multi-agent systems, knowledge management, neural networks, knowledge discovery, data mining, and other related areas, excluding applications to military/defense systems.