Journal of Computer Applications ›› 2022, Vol. 42 ›› Issue (6): 1814-1821.DOI: 10.11772/j.issn.1001-9081.2021091691

• The 18th CCF Conference on Web Information Systems and Applications • Previous Articles    

Source code vulnerability detection based on relational graph convolution network

Min WEN1,2, Rongcun WANG1,2,3(), Shujuan JIANG1,2   

  1. 1.Engineering Research Center of Mine Digitalization,Ministry of Education (China University of Mining and Technology),Xuzhou Jiangsu 221116,China
    2.School of Computer Science and Technology,China University of Mining and Technology,Xuzhou Jiangsu 221116,China
    3.Key Laboratory of Safety?Critical Software,Ministry of Industry and Information Technology (Nanjing University of Aeronautics and Astronautics),Nanjing Jiangsu 211106,China.
  • Received:2021-09-29 Revised:2021-11-16 Accepted:2021-11-17 Online:2022-04-15 Published:2022-06-10
  • Contact: Rongcun WANG
  • About author:WEN Min,born in 1996,M. S. candidate. Her research interests include vulnerability detection.
    JIANG Shujuan,born in 1966,Ph. D.,professor. Her research interests include software analysis and testing,compilation technology
  • Supported by:
    National Natural Science Foundation of China(61673384);Natural Science Foundation of Jiangsu Province(BK20181353);Open Fund of Key Laboratory of Safety-Critical Software, Ministry of Industry and Information Technology(1015-56XCA18164)


文敏1,2, 王荣存1,2,3(), 姜淑娟1,2   

  1. 1.矿山数字化教育部工程研究中心(中国矿业大学), 江苏 徐州 221116
    2.中国矿业大学 计算机科学与技术学院, 江苏 徐州 221116
    3.高安全系统的软件开发与验证技术工业和信息化部重点实验室(南京航空航天大学), 南京 211106
  • 通讯作者: 王荣存
  • 作者简介:文敏(1996—),女,湖南邵东人,硕士研究生,主要研究方向:漏洞检测
  • 基金资助:


The root cause of software security lies in the source code developed by software developers, but with the continues increasing size and complexity of software, it is costly and difficult to perform vulnerability detection only manually, while the existing code analysis tools have high false positive rate and false negative rate. Therefore, an automatic vulnerability detection method based on Relational Graph Convolution Network (RGCN) was proposed to further improve the accuracy of vulnerability detection. Firstly, the program source code was transformed into CPG containing syntax and semantic information. Then, representation learning was performed to the graph structure by RGCN. Finally, a neural network model was trained to predict the vulnerabilities in the program source code. To verify the effectiveness of the proposed method, an experimental validation was conducted on the real-world software vulnerability samples, and the results show that the recall and F1-measure of vulnerability detection results of the proposed method reach 80.27% and 63.78% respectively. Compared with Flawfinder, VulDeepecker and similar method based on Graph Convolution Network (GCN), the proposed method has the F1-measure increased by 182%, 12% and 55% respectively. It can be seen that the proposed method can effectively improve the vulnerability detection capability.

Key words: vulnerability detection, Code Property Graph (CPG), Relational Graph Convolution Network (RGCN), deep learning, prediction model



关键词: 漏洞检测, 代码属性图, 关系图卷积网络, 深度学习, 预测模型

CLC Number: