VDMAF：使用多头注意力融合的跨语言源代码漏洞检测

IF 3.8 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology Pub Date : 2025-04-09 DOI:10.1016/j.infsof.2025.107739

Yang Li , Qin Luo , Peng Wu , Hongdi Zheng

{"title":"VDMAF：使用多头注意力融合的跨语言源代码漏洞检测","authors":"Yang Li , Qin Luo , Peng Wu , Hongdi Zheng","doi":"10.1016/j.infsof.2025.107739","DOIUrl":null,"url":null,"abstract":"<div><h3>Context:</h3><div>Detecting potential vulnerabilities is critical for ensuring the stability and reliability of software systems. Traditional static detection methods fall short in accuracy and efficiency. Furthermore, existing deep learning-based vulnerability detection models typically rely on single sequence or graph embedding methods, neglecting the semantic and structured information present in the code. With the diversification of software development environments, systems often involve multiple programming languages. This limits the effectiveness of existing vulnerability detection methods when handling cross-language code.</div></div><div><h3>Objective:</h3><div>To solve these problems, we propose a more effective and general vulnerability detection framework, VDMAF(Cross-Language Source Code Vulnerability Detection Using Multi-Head Attention Fusion).</div></div><div><h3>Methods:</h3><div>The method extracts unified and standardized feature representations. It uses a multi-head attention module to fuse sequence features and graph structural features. First, an improved global consistent labeling mechanism is introduced, which improves data representation through threshold-based label augmentation. Second, the method uses sequence embedding to extract local semantic features of the code. The code is converted into a unified, standardized graph structure. Then, a graph neural network is used to extract features. Finally, the sequence and graph features are fused using the multi-head attention module, followed by classification with a bidirectional LSTM-based recurrent neural network.</div></div><div><h3>Results:</h3><div>VDMAF has been evaluated on three vulnerability datasets across different programming languages and granularities, demonstrating better performance across all metrics compared to baseline models, with F1 scores of 98.9%, 65.3%, and 56.8%.</div></div><div><h3>Conclusion:</h3><div>The proposed VDMAF outperforms state-of-the-art models, exhibiting better generality and scalability, thus showing greater potential in vulnerability detection tasks.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"183 ","pages":"Article 107739"},"PeriodicalIF":3.8000,"publicationDate":"2025-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"VDMAF: Cross-language source code vulnerability detection using multi-head attention fusion\",\"authors\":\"Yang Li , Qin Luo , Peng Wu , Hongdi Zheng\",\"doi\":\"10.1016/j.infsof.2025.107739\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><h3>Context:</h3><div>Detecting potential vulnerabilities is critical for ensuring the stability and reliability of software systems. Traditional static detection methods fall short in accuracy and efficiency. Furthermore, existing deep learning-based vulnerability detection models typically rely on single sequence or graph embedding methods, neglecting the semantic and structured information present in the code. With the diversification of software development environments, systems often involve multiple programming languages. This limits the effectiveness of existing vulnerability detection methods when handling cross-language code.</div></div><div><h3>Objective:</h3><div>To solve these problems, we propose a more effective and general vulnerability detection framework, VDMAF(Cross-Language Source Code Vulnerability Detection Using Multi-Head Attention Fusion).</div></div><div><h3>Methods:</h3><div>The method extracts unified and standardized feature representations. It uses a multi-head attention module to fuse sequence features and graph structural features. First, an improved global consistent labeling mechanism is introduced, which improves data representation through threshold-based label augmentation. Second, the method uses sequence embedding to extract local semantic features of the code. The code is converted into a unified, standardized graph structure. Then, a graph neural network is used to extract features. Finally, the sequence and graph features are fused using the multi-head attention module, followed by classification with a bidirectional LSTM-based recurrent neural network.</div></div><div><h3>Results:</h3><div>VDMAF has been evaluated on three vulnerability datasets across different programming languages and granularities, demonstrating better performance across all metrics compared to baseline models, with F1 scores of 98.9%, 65.3%, and 56.8%.</div></div><div><h3>Conclusion:</h3><div>The proposed VDMAF outperforms state-of-the-art models, exhibiting better generality and scalability, thus showing greater potential in vulnerability detection tasks.</div></div>\",\"PeriodicalId\":54983,\"journal\":{\"name\":\"Information and Software Technology\",\"volume\":\"183 \",\"pages\":\"Article 107739\"},\"PeriodicalIF\":3.8000,\"publicationDate\":\"2025-04-09\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Information and Software Technology\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0950584925000783\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Software Technology","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950584925000783","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

背景信息：检测潜在漏洞对于确保软件系统的稳定性和可靠性至关重要。传统的静态检测方法在精度和效率方面存在不足。此外，现有的基于深度学习的漏洞检测模型通常依赖于单序列或图嵌入方法，忽略了代码中存在的语义和结构化信息。随着软件开发环境的多样化，系统往往涉及多种编程语言。这限制了现有漏洞检测方法在处理跨语言代码时的有效性。为了解决这些问题，我们提出了一个更有效和通用的漏洞检测框架VDMAF（Cross-Language Source Code vulnerability detection Using Multi-Head Attention Fusion）。方法：该方法提取统一、标准化的特征表示。它采用多头注意模块融合序列特征和图结构特征。首先，引入了一种改进的全局一致标记机制，该机制通过基于阈值的标签增强来改善数据表示。其次，该方法利用序列嵌入提取代码的局部语义特征；代码被转换成统一的、标准化的图形结构。然后，利用图神经网络进行特征提取。最后，使用多头注意模块融合序列特征和图特征，然后使用基于lstm的双向递归神经网络进行分类。结果：VDMAF在不同编程语言和粒度的三个漏洞数据集上进行了评估，与基线模型相比，在所有指标上表现出更好的性能，F1得分分别为98.9%、65.3%和56.8%。结论：本文提出的VDMAF优于现有模型，具有更好的通用性和可扩展性，在漏洞检测任务中具有更大的潜力。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

VDMAF: Cross-language source code vulnerability detection using multi-head attention fusion

Context:

Detecting potential vulnerabilities is critical for ensuring the stability and reliability of software systems. Traditional static detection methods fall short in accuracy and efficiency. Furthermore, existing deep learning-based vulnerability detection models typically rely on single sequence or graph embedding methods, neglecting the semantic and structured information present in the code. With the diversification of software development environments, systems often involve multiple programming languages. This limits the effectiveness of existing vulnerability detection methods when handling cross-language code.

Objective:

To solve these problems, we propose a more effective and general vulnerability detection framework, VDMAF(Cross-Language Source Code Vulnerability Detection Using Multi-Head Attention Fusion).

Methods:

The method extracts unified and standardized feature representations. It uses a multi-head attention module to fuse sequence features and graph structural features. First, an improved global consistent labeling mechanism is introduced, which improves data representation through threshold-based label augmentation. Second, the method uses sequence embedding to extract local semantic features of the code. The code is converted into a unified, standardized graph structure. Then, a graph neural network is used to extract features. Finally, the sequence and graph features are fused using the multi-head attention module, followed by classification with a bidirectional LSTM-based recurrent neural network.

Results:

VDMAF has been evaluated on three vulnerability datasets across different programming languages and granularities, demonstrating better performance across all metrics compared to baseline models, with F1 scores of 98.9%, 65.3%, and 56.8%.

Conclusion:

The proposed VDMAF outperforms state-of-the-art models, exhibiting better generality and scalability, thus showing greater potential in vulnerability detection tasks.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Information and Software Technology 工程技术-计算机：软件工程

CiteScore

9.10

自引率

7.70%

发文量

164

审稿时长

9.6 weeks

期刊介绍： Information and Software Technology is the international archival journal focusing on research and experience that contributes to the improvement of software development practices. The journal''s scope includes methods and techniques to better engineer software and manage its development. Articles submitted for review should have a clear component of software engineering or address ways to improve the engineering and management of software development. Areas covered by the journal include: • Software management, quality and metrics, • Software processes, • Software architecture, modelling, specification, design and programming • Functional and non-functional software requirements • Software testing and verification & validation • Empirical studies of all aspects of engineering and managing software development Short Communications is a new section dedicated to short papers addressing new ideas, controversial opinions, "Negative" results and much more. Read the Guide for authors for more information. The journal encourages and welcomes submissions of systematic literature studies (reviews and maps) within the scope of the journal. Information and Software Technology is the premiere outlet for systematic literature studies in software engineering.