VulD-SG: Enhancing code vulnerability detection via combining deep sequence and graph model

preprint OA: closed CC-BY-4.0
📄 Open PDF Full text JSON View at publisher

Abstract

Abstract Thriving and widespread use of the open-source software community makes software vulnerabilities spread a lot, which brings serious challenges to the system security. Recently, a number of vulnerability detection methods based on deep learning have been proposed to help engineers analyze and patch vulnerabilities efficiently. However, these existing approaches still suffer from limitations in extracting rich features from vulnerability code. Aiming at the above problems, we propose VulD-SG, a dual-channel software code vulnerability detection method based on deep sequence and graph model. VulD-SG enhances the semantic, syntactic and structural features extraction ability of the source code by introducing the deep sequence-based and graph-based vulnerability feature extraction module. To address the problem of the coarse detection granularity in the traditional methods, VulD-SG slices code statements into subtokens with a new decomposition algorithm to capture the detailed vulnerability information. Meanwhile, Transformer-style encoder is utilized in graph-based vulnerability feature extraction module to aggregate program dependency graph (PDG) nodes to learn the long-range dependence of cross-function code effectively. Finally, we build a fusion model to merge the training parameters and achieve fine-grained prediction results. The experiments result show that Acc, F1, and Recall metrics were improved by 2.6\%~27\%, 2\%~29.2\%, and 1\%~30.25\% respectively on five different vulnerability datasets compared with seven vulnerability detection models based on deep learning.
Full text 11,830 characters · extracted from preprint-html · click to expand
VulD-SG: Enhancing code vulnerability detection via combining deep sequence and graph model | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Article VulD-SG: Enhancing code vulnerability detection via combining deep sequence and graph model Xuejun Zhang, Bo Zhou, Zhuo Chen, Meifeng Guo, Xiaogang Du, Xiaohong Jia, and 1 more This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-4893837/v1 This work is licensed under a CC BY 4.0 License Status: Posted Version 1 posted You are reading this latest preprint version Abstract Thriving and widespread use of the open-source software community makes software vulnerabilities spread a lot, which brings serious challenges to the system security. Recently, a number of vulnerability detection methods based on deep learning have been proposed to help engineers analyze and patch vulnerabilities efficiently. However, these existing approaches still suffer from limitations in extracting rich features from vulnerability code. Aiming at the above problems, we propose VulD-SG, a dual-channel software code vulnerability detection method based on deep sequence and graph model. VulD-SG enhances the semantic, syntactic and structural features extraction ability of the source code by introducing the deep sequence-based and graph-based vulnerability feature extraction module. To address the problem of the coarse detection granularity in the traditional methods, VulD-SG slices code statements into subtokens with a new decomposition algorithm to capture the detailed vulnerability information. Meanwhile, Transformer-style encoder is utilized in graph-based vulnerability feature extraction module to aggregate program dependency graph (PDG) nodes to learn the long-range dependence of cross-function code effectively. Finally, we build a fusion model to merge the training parameters and achieve fine-grained prediction results. The experiments result show that Acc, F1, and Recall metrics were improved by 2.6%~27%, 2%~29.2%, and 1%~30.25% respectively on five different vulnerability datasets compared with seven vulnerability detection models based on deep learning. Full Text Additional Declarations No competing interests reported. Cite Share Download PDF Status: Posted Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-4893837","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Article","associatedPublications":[],"authors":[{"id":357505091,"identity":"43446f3a-5748-427b-8d4b-921a9e0baecd","order_by":0,"name":"Xuejun Zhang","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABEElEQVRIie3Rv0vDQBTA8SeBc7k06wX/iScBQQr9W95x0C6hCgHpUEJBSBf/AMVf/4JujhEhXTrLgQ7p0kkhk1MH79KuFzoK3heOB+F9coQA+Hx/NDSHzDmoa2DtE7EvCZCAib0I7AgTtNvuJKhVmYUv+Ti6nb9PaNPLsQxePzgMxi4SXw8pCZcsE5/LC02cCSyZ6nNQmYtEIsUkLLic6XSoSVjCT444lHLmIEycNYYI+WjIOaEl0U8nMbeAISif9KgCovYW1kniqzUe3xckn3UaCCpZfPPGktM7VE6CC7XG7yKXD3q0appNFfUWlyv9NRk4if0c3E5uZ2X+aPsq974pqLfz0M5p56rP5/P9z34BFYpUAFEsLlEAAAAASUVORK5CYII=","orcid":"","institution":"Lanzhou Jiaotong University","correspondingAuthor":true,"prefix":"","firstName":"Xuejun","middleName":"","lastName":"Zhang","suffix":""},{"id":357505092,"identity":"e65a8ba1-460a-4c3c-a8c6-aebfd971f5af","order_by":1,"name":"Bo Zhou","email":"","orcid":"","institution":"Lanzhou Jiaotong University","correspondingAuthor":false,"prefix":"","firstName":"Bo","middleName":"","lastName":"Zhou","suffix":""},{"id":357505093,"identity":"4809f883-6a59-4cc8-9424-2d79cbe3b784","order_by":2,"name":"Zhuo Chen","email":"","orcid":"","institution":"Lanzhou Jiaotong University","correspondingAuthor":false,"prefix":"","firstName":"Zhuo","middleName":"","lastName":"Chen","suffix":""},{"id":357505094,"identity":"849284a9-f2b3-43f2-80ca-2faf44e9375a","order_by":3,"name":"Meifeng Guo","email":"","orcid":"","institution":"Lanzhou Jiaotong University","correspondingAuthor":false,"prefix":"","firstName":"Meifeng","middleName":"","lastName":"Guo","suffix":""},{"id":357505095,"identity":"ae419fe0-9231-4e76-86a4-8c9d06a492d5","order_by":4,"name":"Xiaogang Du","email":"","orcid":"","institution":"Shaanxi University of Science and Technology","correspondingAuthor":false,"prefix":"","firstName":"Xiaogang","middleName":"","lastName":"Du","suffix":""},{"id":357505096,"identity":"9da93701-60e9-4445-bd49-9455c6373446","order_by":5,"name":"Xiaohong Jia","email":"","orcid":"","institution":"Lanzhou Jiaotong University","correspondingAuthor":false,"prefix":"","firstName":"Xiaohong","middleName":"","lastName":"Jia","suffix":""},{"id":357505097,"identity":"c2525db7-ad5f-485f-91f1-556ab3181634","order_by":6,"name":"Wanrong Bai","email":"","orcid":"","institution":"State Grid Gansu Electric Power Research Institute","correspondingAuthor":false,"prefix":"","firstName":"Wanrong","middleName":"","lastName":"Bai","suffix":""}],"badges":[],"createdAt":"2024-08-11 05:31:21","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-4893837/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-4893837/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":72004367,"identity":"f229c968-de58-44bd-a8d6-d6d0ef34b14c","added_by":"auto","created_at":"2024-12-20 14:02:39","extension":"pdf","order_by":1,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":2384229,"visible":true,"origin":"","legend":"","description":"","filename":"scientificreports.pdf","url":"https://assets-eu.researchsquare.com/files/rs-4893837/v1_covered_34df5369-028d-4b1c-8f3e-83c2ea99a931.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"VulD-SG: Enhancing code vulnerability detection via combining deep sequence and graph model","fulltext":[],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":false,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":true,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":true,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":true,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"","lastPublishedDoi":"10.21203/rs.3.rs-4893837/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-4893837/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"Thriving and widespread use of the open-source software community makes software vulnerabilities spread a lot, which brings serious challenges to the system security. Recently, a number of vulnerability detection methods based on deep learning have been proposed to help engineers analyze and patch vulnerabilities efficiently. However, these existing approaches still suffer from limitations in extracting rich features from vulnerability code. Aiming at the above problems, we propose VulD-SG, a dual-channel software code vulnerability detection method based on deep sequence and graph model. VulD-SG enhances the semantic, syntactic and structural features extraction ability of the source code by introducing the deep sequence-based and graph-based vulnerability feature extraction module. To address the problem of the coarse detection granularity in the traditional methods, VulD-SG slices code statements into subtokens with a new decomposition algorithm to capture the detailed vulnerability information. Meanwhile, Transformer-style encoder is utilized in graph-based vulnerability feature extraction module to aggregate program dependency graph (PDG) nodes to learn the long-range dependence of cross-function code effectively. Finally, we build a fusion model to merge the training parameters and achieve fine-grained prediction results. The experiments result show that Acc, F1, and Recall metrics were improved by 2.6\\%~27\\%, 2\\%~29.2\\%, and 1\\%~30.25\\% respectively on five different vulnerability datasets compared with seven vulnerability detection models based on deep learning.","manuscriptTitle":"VulD-SG: Enhancing code vulnerability detection via combining deep sequence and graph model","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2024-09-23 17:55:51","doi":"10.21203/rs.3.rs-4893837/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"1dd7dc40-1e62-4ce0-9005-d077abe6e5c8","owner":[],"postedDate":"September 23rd, 2024","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"posted","subjectAreas":[],"tags":[],"updatedAt":"2024-12-20T13:54:26+00:00","versionOfRecord":[],"versionCreatedAt":"2024-09-23 17:55:51","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-4893837","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-4893837","identity":"rs-4893837","version":["v1"]},"buildId":"qtupq5eGEP_6zYnWcrvyt","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}

Text is read by the "Ask this paper" AI Q&A widget below. Extraction quality varies by source — PMC NXML preserves structure cleanly, OA-HTML may include some navigation residue, and OA-PDF can have broken hyphenation. The publisher copy (via DOI) is the canonical version.

My notes (saved in your browser only)

Ask this paper AI returns verbatim quotes from the full text · source: preprint-html

Answers must be backed by verbatim quotes from this paper's full text. Hallucinated quotes are dropped automatically; if no verbatim passage answers the question, we say so. How this works

Citation neighborhood (no data yet)

We don't have any in-corpus citations linked to this paper yet. This is a recent paper (2024) — citers typically take a year or two to land, and the OpenAlex reference graph may still be filling in.

Source provenance

europepmc
last seen: 2026-05-20T01:45:00.602351+00:00
unpaywall
last seen: 2026-05-29T02:00:03.542394+00:00
License: CC-BY-4.0