Software vulnerability detection method based on edge weight

doi:10.11772/j.issn.1001-9081.2025020217

Journal of Computer Applications ›› 2026, Vol. 46 ›› Issue (2): 518-527.DOI: 10.11772/j.issn.1001-9081.2025020217

• Computer software technology • Previous Articles

Software vulnerability detection method based on edge weight

Qiao YU¹, Zirui HUANG¹(), Shengyi CHENG¹(), Yi ZHU¹, Shutao ZHANG²

^1.School of Computer Science and Technology，Jiangsu Normal University，Xuzhou Jiangsu 221116，China
^2.Jiangsu Xuzhou Mining Energy Company Limited，Xuzhou Jiangsu 220009，China

Received:2025-03-06 Revised:2025-05-11 Accepted:2025-05-13 Online:2025-05-16 Published:2026-02-10
Contact: Zirui HUANG
About author:YU Qiao， born in 1989， Ph. D.， associate professor. Her research interests include machine learning， software defect prediction， vulnerability detection.
HUANG Zirui， born in 1999， M. S. candidate. His research interests include vulnerability detection.
CHENG Shengyi， born in 1999， M. S. candidate. His research interests include vulnerability detection， software defect prediction. Email:hanzir13@163.com
ZHU Yi， born in 1976， Ph. D.， professor. His research interests include software engineering， formal methods， software defect prediction.
ZHANG Shutao， born in 1979， M. S.， senior engineer. His research interests include information management system and operations.
Supported by:
National Natural Science Foundation of China(61902161);Postgraduate Research and Practice Innovation Program of Jiangsu Normal University(2024XKT2616)

基于边权重的软件漏洞检测方法

于巧¹, 黄子睿¹(), 程圣懿¹(), 祝义¹, 张淑涛²

^1.江苏师范大学计算机科学与技术学院，江苏徐州 221116
^2.江苏徐矿能源股份有限公司，江苏徐州 220009

通讯作者: 黄子睿
作者简介:于巧（1989—），女，山东莱阳人，副教授，博士，CCF会员，主要研究方向：机器学习、软件缺陷预测、漏洞检测
黄子睿（1999—），男，江苏淮安人，硕士研究生，CCF会员，主要研究方向：漏洞检测 Email:hanzir13@163.com
程圣懿（1999—），男，江苏徐州人，硕士研究生，CCF会员，主要研究方向：漏洞检测、软件缺陷预测
祝义（1976—），男，江西九江人，教授，博士，CCF高级会员，主要研究方向：软件工程、形式化方法、软件缺陷预测
张淑涛（1979—），男，江苏徐州人，高级工程师，硕士，主要研究方向：信息管理系统与运维。
基金资助:
国家自然科学基金资助项目(61902161);江苏师范大学研究生科研与实践创新计划项目(2024XKT2616)

Abstract

Abstract:

With the widespread application of software across various domains， software vulnerabilities have shown a continuous upward trend， so that deep learning-based methods for vulnerability detection have gained wide application. However， the existing graph representation learning methods often neglect the influence of edges in the graph on vulnerability detection， and have the representation of edge weights too coarse. To address this issue， a software vulnerability detection method based on edge weight — EWVD （Edge Weight for Vulnerability Detection） was proposed. Firstly， comments， custom variable names， and function names in the source code were cleaned and represented abstractly. Secondly， Sent2Vec was selected to perform embedding representation after comparative analysis. Thirdly， edge weights were calculated comprehensively using three metrics： connection structure， the importance of neighboring nodes， and Jaccard similarity， so as to identify the information transmission capability between nodes. Finally， by leveraging edge weights， perception capability of the model was enhanced for potential relationships between vulnerable statements， thereby determining the importance of edges in the graph. Compared with the best-performing baseline method VulCNN among seven vulnerability detection baseline methods， EWVD achieves an increase of 1.06 percentage points in Accuracy and a decrease of 1.11 percentage points in False Positive Rate （FPR）. It can be seen that EWVD refines the representation of edge weights and improves the overall performance of vulnerability detection.

Key words: vulnerability detection, edge weight, graph representation learning, program dependency graph

摘要：

随着软件在各个领域的广泛应用，软件漏洞呈不断增长的趋势，基于深度学习的软件漏洞检测方法得到广泛应用；然而，现有的图表示学习方法通常忽略了图中边对软件漏洞检测的影响，并且对边权重的表示过于粗糙。针对该问题，提出一种基于边权重的软件漏洞检测方法EWVD（Edge Weight for Vulnerability Detection）。首先，对源代码中的注释、自定义变量名和函数名进行清理和抽象表示；其次，经过对比分析后选择使用Sent2Vec进行嵌入表示；再次，利用连接结构、邻居节点的重要性和Jaccard相似性这3种度量方式，综合计算边权重，从而识别节点间的信息传递能力；最后，利用边权重提升模型对漏洞语句潜在关系的感知能力，从而判断图中边的重要性。实验结果表明，与7种漏洞检测基线方法中的最优基线VulCNN相比，EWVD的准确率提高了1.06个百分点，而假阳性率（FPR）降低了1.11个百分点。可见，EWVD细化了边权重的表示，并且提升了漏洞检测的综合性能。

关键词: 漏洞检测, 边权重, 图表示学习, 程序依赖图

CLC Number:

TP311

Qiao YU, Zirui HUANG, Shengyi CHENG, Yi ZHU, Shutao ZHANG. Software vulnerability detection method based on edge weight[J]. Journal of Computer Applications, 2026, 46(2): 518-527.

于巧, 黄子睿, 程圣懿, 祝义, 张淑涛. 基于边权重的软件漏洞检测方法[J]. 《计算机应用》唯一官方网站, 2026, 46(2): 518-527.

Figures/Tables 16

References 30

[1]	STEENHOEK B， GAO H， LE W. Dataflow analysis-inspired deep learning for efficient vulnerability detection［C］// Proceedings of the IEEE/ACM 46th International Conference on Software Engineering. New York： ACM， 2024： No.16.
[2]	Secure Software Inc. Rough Audit Tool for Security （RATS）［EB/OL］. ［2024-11-07］..
[3]	Ltd Checkmarx. Checkmarx［EB/OL］. ［2024-11-07］..
[4]	WHEELER D A. FlawFinder［EB/OL］. ［2024-11-07］..
[5]	KIM S， WOO S， LEE H， et al. VUDDY： a scalable approach for vulnerable code clone discovery［C］// Proceedings of the 2017 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2017： 595-614.
[6]	YAMAGUCHI F， LOTTMANN M， RIECK K. Generalized vulnerability extrapolation using abstract syntax trees［C］// Proceedings of the 28th Annual Computer Security Applications Conference. New York： ACM， 2012： 359-368.
[7]	PHAM N H， NGUYEN T T， NGUYEN H A， et al. Detection of recurring software vulnerabilities［C］// Proceedings of the 25th IEEE/ACM International Conference on Automated Software Engineering. New York： ACM， 2010： 447-456.
[8]	李韵，黄辰林，王中锋，等. 基于机器学习的软件漏洞挖掘方法综述［J］. 软件学报， 2020， 31（7）： 2040-2061.
	LI Y， HUANG C L， WANG Z F， et al. Survey of software vulnerability mining methods based on machine learning［J］. Journal of Software， 2020， 31（7）： 2040-2061.
[9]	ALLAMANIS M， BROCKSCHMIDT M， KHADEMI M. Learning to represent programs with graphs［EB/OL］. ［2024-11-07］..
[10]	NANDI S， MALTA M C， MAJI G， et al. IS-PEW： identifying influential spreaders using potential edge weight in complex networks［C］// Proceedings of the 2023 International Conference on Complex Networks and Their Applications， SCI 1143. Cham： Springer， 2024： 309-320.
[11]	MA X， MA Y. The local triangle structure centrality method to rank nodes in networks［J］. Complexity， 2019， 2019： No.9057194.
[12]	COSTA L D F. Further generalizations of the Jaccard index［EB/OL］. ［2024-11-07］..
[13]	LI Z， ZOU D， XU S， et al. VulDeePecker： a deep learning-based system for vulnerability detection［EB/OL］. ［2024-11-07］..
[14]	REN Z， JU X， CHEN X， et al. ProRLearn： boosting prompt tuning-based vulnerability detection by reinforcement learning［J］. Automated Software Engineering， 2024， 31（2）： No.38.
[15]	李妍，羌卫中，李珍，等. 基于程序过程间语义优化的深度学习漏洞检测方法［J］. 网络与信息安全学报， 2023， 9（6）： 86-101.
	LI Y， QIANG W Z， LI Z， et al. Deep learning vulnerability detection method based on optimized inter-procedural semantics of programs［J］. Chinese Journal of Network and Information Security， 2023， 9（6）： 86-101.
[16]	TANG M， TANG W， GUI Q， et al. A vulnerability detection algorithm based on Residual Graph Attention Networks for source code imbalance （RGAN）［J］. Expert Systems with Applications， 2024， 238（Pt D）： No.122216.
[17]	胡雨涛，王溯远，吴月明，等. 基于图神经网络的切片级漏洞检测及解释方法［J］. 软件学报， 2023， 34（6）： 2543-2561.
	HU Y T， WANG S Y， WU Y M， et al. Slice-level vulnerability detection and interpretation method based on graph neural network［J］. Journal of Software， 2023， 34（6）： 2543-2561.
[18]	CUI L， HAO Z， JIAO Y， et al. VulDetector： detecting vulnerabilities using weighted feature graph comparison［J］. IEEE Transactions on Information Forensics and Security， 2021， 16： 2004-2017.
[19]	LIU H， JIANG S， QI X， et al. Detect software vulnerabilities with weight biases via graph neural networks［J］. Expert Systems with Applications， 2024， 238（Pt B）： No.121764.
[20]	WU Y， ZOU D， DOU S， et al. VulCNN： an image-inspired scalable vulnerability detection system［C］// Proceedings of the ACM/IEEE 44th International Conference on Software Engineering. New York： ACM， 2022： 2365-2376.
[21]	YAMAGUCHI F， GOLDE N， ARP D， et al. Modeling and discovering vulnerabilities with code property graphs［C］// Proceedings of the 2014 IEEE Symposium on Security and Privacy. Piscataway： IEEE， 2014： 590-604.
[22]	RIBEIRO L F R， SAVERESE P H P， FIGUEIREDO D R. struc2vec： Learning node representations from structural identity［C］// Proceedings of the 23rd ACM SIGKDD Conference on Knowledge Discovery and Data Mining. New York： ACM， 2017： 385-394.
[23]	GROVER A， LESKOVEC J. node2vec： Scalable feature learning for networks［C］// Proceedings of the 22nd ACM SIGKDD Conference on Knowledge Discovery and Data Mining. New York： ACM， 2016： 855-864.
[24]	PAGLIARDINI M， GUPTA P， JAGGI M. Unsupervised learning of sentence embeddings using compositional n-gram features［C］// Proceedings of the 2018 Annual Conference of the North of the American Chapter of the Association for Computational Linguistics： Human Language Technologies， Volume 1 （Long Papers）. Stroudsburg： ACL， 2018： 528-540.
[25]	ZHANG C， XIN Y. VulGAI： vulnerability detection based on graphs and images［J］. Computers and Security， 2023， 135： No.103501.
[26]	ZHANG J， LUO Y. Degree centrality， betweenness centrality， and closeness centrality in social network［C］// Proceedings of the 2nd International Conference on Modelling， Simulation and Applied Mathematics. Dordrecht： Atlantis Press， 2017： 300-303.
[27]	LIN G， XIAO W， ZHANG J， et al. Deep learning-based vulnerable function detection： a benchmark［C］// Proceedings of the 2019 International Conference on Information and Communications Security， LNCS 11999. Cham： Springer， 2020： 219-232.
[28]	CHENG X， WANG H， HUA J， et al. Static detection of control-flow-related vulnerabilities using graph embedding［C］// Proceedings of the 24th International Conference on Engineering of Complex Computer Systems. Piscataway： IEEE， 2019： 41-50.
[29]	LI Z， ZOU D， XU S， et al. VulDeeLocator： a deep learning-based fine-grained vulnerability detector［J］. IEEE Transactions on Dependable and Secure Computing， 2022， 19（4）： 2821-2837.
[30]	ZHOU Y， LIU S， SIOW J， et al. Devign： effective vulnerability identification by learning comprehensive program semantics via graph neural networks［C］// Proceedings of the 33rd International Conference on Neural Information Processing Systems. Red Hook： Curran Associates Inc.， 2019： 10197-10207.

数据集	漏洞函数	非漏洞函数
NVD	1 384	5 913
SARD	12 303	21 057

数据集	漏洞函数	非漏洞函数
NVD	1 384	5 913
SARD	12 303	21 057

方法	FPR	FNR	准确率
RATS	27.91	64.43	59.17
FlawFinder	54.67	47.62	59.08
VulDeePecker	25.37	14.95	76.68
VGDetector	26.14	16.62	78.53
VulDeeLocator	21.71	14.36	80.72
Devign	24.76	13.37	83.06
VulCNN	18.27	17.47	83.11
EWVD	17.16	16.43	84.17

方法	FPR	FNR	准确率
RATS	27.91	64.43	59.17
FlawFinder	54.67	47.62	59.08
VulDeePecker	25.37	14.95	76.68
VGDetector	26.14	16.62	78.53
VulDeeLocator	21.71	14.36	80.72
Devign	24.76	13.37	83.06
VulCNN	18.27	17.47	83.11
EWVD	17.16	16.43	84.17

嵌入方法	FPR	FNR	Accuracy
struc2vec	29.26	29.10	72.69
node2vec	27.15	26.28	74.52
Sent2Vec	17.16	16.43	84.17

Software vulnerability detection method based on edge weight

基于边权重的软件漏洞检测方法

RichHTML

PDF

Knowledge

Abstract

Cite this article

share this article

Figures/Tables 16

References 30

Related Articles 15

Recommended Articles

Metrics

方法	FPR	FNR	Accuracy
RATS	-93.39	-228.26	164.25
FlawFinder	-195.85	-253.15	141.46
VulDeePecker	-44.46	8.03	41.81
VGDetector	-61.94	0.58	44.40
VulDeeLocator	-19.08	15.85	17.28
Devign	-44.79	20.16	5.58
VulCNN	-7.40	-4.47	3.17

方法	FPR	FNR	Accuracy
RATS	9.38×10^-15	3.03×10^-18	5.85×10^-17
FlawFinder	1.20×10^-17	1.19×10^-18	2.24×10^-16
VulDeePecker	7.37×10^-12	2.15×10^-5	1.28×10^-11
VGDetector	3.76×10^-13	0.576	7.45×10^-12
VulDeeLocator	1.37×10^-8	6.98×10^-8	3.29×10^-8
Devign	6.89×10^-12	8.46×10^-9	0.000 342
VulCNN	0.000 413	0.001 55	0.011 4

消融方式	FPR	FNR	Accuracy
EWVD_{wu_EW}	19.47	17.46	82.67
EWVD_TP	17.49	16.51	83.59
EWVD_NIP	17.71	16.64	83.59
EWVD_Jac	17.26	16.63	83.61
EWVD_{TP_NIP}	17.34	16.80	83.85
EWVD_{TP_Jac}	17.49	16.49	83.76
EWVD_{NIP_Jac}	17.67	16.76	83.60
EWVD	17.16	16.43	84.17

方法	运行时间	方法	运行时间
VulDeePecker	7.8	Devign	12.6
VGDetector	6.4	VulCNN	1.9
VulDeeLocator	30.7	EWVD	2.2

[1]	Yi LIN, Bing XIA, Yong WANG, Shunda MENG, Juchong LIU, Shuqin ZHANG. AI-Agent based method for hidden RESTful API discovery and vulnerability detection [J]. Journal of Computer Applications, 2026, 46(1): 135-143.
[2]	Wen LI, Kairong LI, Kai YANG. Subgraph-aware contrastive learning with data augmentation [J]. Journal of Computer Applications, 2026, 46(1): 1-9.
[3]	Yi WANG, Yinglong MA. Multi-task social item recommendation method based on dynamic adaptive generation of item graph [J]. Journal of Computer Applications, 2025, 45(8): 2592-2599.
[4]	Chen LIANG, Yisen WANG, Qiang WEI, Jiang DU. Source code vulnerability detection method based on Transformer-GCN [J]. Journal of Computer Applications, 2025, 45(7): 2296-2303.
[5]	Yushu LI, Ying XING, Siqi LU, Heng PAN, Senchun CHAI, Xueming SI. Deep learning-based vulnerability detection tool for C/C++ smart contracts at function-body slice level [J]. Journal of Computer Applications, 2025, 45(11): 3493-3501.
[6]	Chunxia LIU, Hanying XU, Gaimei GAO, Weichao DANG, Zilu LI. Smart contract vulnerability detection method based on echo state network [J]. Journal of Computer Applications, 2025, 45(1): 153-161.
[7]	Yu DU, Yan ZHU. Constructing pre-trained dynamic graph neural network to predict disappearance of academic cooperation behavior [J]. Journal of Computer Applications, 2024, 44(9): 2726-2731.
[8]	Shibin LI, Jun GONG, Shengjun TANG. Semi-supervised heterophilic graph representation learning model based on Graph Transformer [J]. Journal of Computer Applications, 2024, 44(6): 1816-1823.
[9]	Kun ZHANG, Fengyu YANG, Fa ZHONG, Guangdong ZENG, Shijian ZHOU. Source code vulnerability detection based on hybrid code representation [J]. Journal of Computer Applications, 2023, 43(8): 2517-2526.
[10]	Juncheng TONG, Bo ZHAO. Review on blockchain smart contract vulnerability detection and automatic repair [J]. Journal of Computer Applications, 2023, 43(3): 785-793.
[11]	Min WEN, Rongcun WANG, Shujuan JIANG. Source code vulnerability detection based on relational graph convolution network [J]. Journal of Computer Applications, 2022, 42(6): 1814-1821.
[12]	NI Ping, CHEN Wei. Reflective cross-site scripting vulnerability detection based on fuzzing test [J]. Journal of Computer Applications, 2021, 41(9): 2594-2601.
[13]	XIANG Min, CHEN Cheng. Traffic scheduling strategy based on improved Dijkstra algorithm for power distribution and utilization communication network [J]. Journal of Computer Applications, 2018, 38(6): 1715-1720.
[14]	FENG Yong ZHANG Yang. Concept similarity computation method based on edge weighting between concepts [J]. Journal of Computer Applications, 2012, 32(01): 202-205.
[15]	. Application of graph spectral theory to text image binarization processing [J]. Journal of Computer Applications, 2010, 30(10): 2802-2804.