An intelligent code vulnerability detection method based on multi-dimensional fusion
By employing a multi-dimensional fusion-based intelligent code vulnerability detection method, which combines multi-level code representation and heterogeneous graph neural networks, the method addresses the issues of insufficient accuracy and interpretability in existing technologies for detecting complex logic vulnerabilities, thereby achieving high-precision and interpretable vulnerability detection and remediation guidance.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- GUIZHOU BLUESKY INNOVATIVE SCI & TECH CO LTD
- Filing Date
- 2026-04-23
- Publication Date
- 2026-06-16
AI Technical Summary
Existing code vulnerability detection technologies are not accurate enough and lack interpretability when dealing with complex logic vulnerabilities, making it difficult to effectively guide remediation efforts.
A multi-dimensional fusion intelligent code vulnerability detection method is adopted. It organically integrates multi-level code representation, denoising feature extraction, probabilistic reasoning and reverse verification. It uses abstract syntax trees, control flow graphs, data flow graphs and program dependency graphs to construct code representations, combines heterogeneous graph neural networks for feature fusion, and establishes a joint posterior distribution model of vulnerability types through diffusion probability models and variational autoencoders, and finally generates an interpretable vulnerability report.
It significantly improves the detection accuracy of complex logic vulnerabilities, reduces the false positive rate, enhances the model's ability to generalize to new vulnerability patterns, and provides interpretable vulnerability triggering paths and test cases to help developers quickly fix vulnerabilities.
Smart Images

Figure CN122221272A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of software security technology, specifically to an intelligent code vulnerability detection method based on multi-dimensional fusion, which is particularly suitable for the automated detection and verification of complex logic vulnerabilities, cross-file interaction vulnerabilities, and business logic defects. Background Technology
[0002] Code vulnerability detection is a key technology in the field of software security. As the scale and complexity of software systems continue to grow, traditional manual auditing methods are struggling to meet the security needs of modern software development in terms of both efficiency and coverage. Especially for vulnerability types involving complex logic, such as race conditions, privilege escalation, and business logic defects, manual identification is extremely difficult, necessitating more intelligent detection methods.
[0003] Currently, code vulnerability detection technologies are mainly divided into two categories: static analysis and dynamic analysis. Static analysis tools (such as Fortify and Coverity) discover potential problems by analyzing the source code structure without executing the program; dynamic analysis tools (such as Valgrind and AddressSanitizer) monitor program behavior during runtime to detect vulnerabilities. Both methods have achieved certain results in discovering common vulnerabilities such as buffer overflows and null pointer dereferences, but they have significant limitations when dealing with complex vulnerabilities that require global context understanding.
[0004] In recent years, AI-based code vulnerability detection technology has gradually emerged. Its core is to use machine learning models to analyze code, extracting features such as abstract syntax trees and control flow graphs, and then inputting these features into a trained neural network for classification or prediction. However, existing AI-based detection methods still face insufficient accuracy when dealing with vulnerability scenarios involving multiple files, multi-module interactions, or requiring a deep understanding of specific framework security assumptions, and generally lack interpretability support for the detection results.
[0005] The existing technologies have the following main problems: On the one hand, the single code representation and analysis model are difficult to capture the global structural features and cross-module dependencies of the code, resulting in a high false positive rate and false negative rate for complex logic vulnerabilities; on the other hand, the existing methods lack an interpretable verification mechanism for the model prediction results, making it difficult for developers to understand the actual trigger path of the marked vulnerabilities and unable to effectively guide the remediation work. Summary of the Invention
[0006] To address the aforementioned problems in existing technologies, this invention provides an intelligent code vulnerability detection method based on multi-dimensional fusion. The method aims to improve the detection accuracy and interpretability of complex vulnerabilities by organically integrating multi-level code representation, denoising feature extraction, probabilistic reasoning, and reverse verification.
[0007] To achieve the above objectives, the present invention adopts the following technical solution:
[0008] A multi-dimensional fusion-based intelligent code vulnerability detection method includes: For the input original code file, performing lexical analysis and syntax analysis using a language-specific parser, and constructing an abstract syntax tree, control flow graph, data flow graph, and program dependency graph respectively to obtain a multi-level code representation; inputting the multi-level code representation into a heterogeneous graph neural network, performing message passing and information aggregation on various nodes and dependencies through a hierarchical graph attention mechanism, and combining it with code semantic information for feature fusion to output a code structure vector; identifying security-sensitive points in the original code file based on the multi-level code representation and the code structure vector, performing forward slicing and backward slicing along the data flow direction respectively, and outputting a set of security-concerned regions after slice optimization and cross-process integration; and for the set of security-concerned regions... An original feature vector containing syntax patterns, data flow features, and control flow features is constructed. This original feature vector is then denoised using a diffusion probability model to obtain an optimized code security feature vector. This optimized code security feature vector is input into a variational autoencoder and mapped to a latent space to establish a joint posterior distribution model of code features and vulnerability types. Key triggering conditions for each vulnerability type are extracted, and the probability distribution of vulnerability types is determined. Based on the optimized code security feature vector and the probability distribution of vulnerability types, consistency constraints are imposed on each expert model using a linear type system. After formalizing the vulnerability assumptions, a reverse execution path is constructed. The path constraints are solved using an SMT / SAT solver to generate vulnerability triggering test cases. These test cases are then combined with hazard assessment and remediation plans to generate and output a final vulnerability report.
[0009] Furthermore, for the input original code file, lexical analysis and syntax analysis are performed using a language-specific parser, and abstract syntax trees, control flow graphs, data flow graphs, and program dependency graphs are constructed respectively to obtain a multi-level code representation. This includes: based on the lexical and syntax analysis results of the original code file, assigning unique identifiers to function definitions, variable declarations, conditional statements, and loop structures and recording source code location information to construct the abstract syntax tree; extracting the basic blocks and inter-block execution paths of the abstract syntax tree, marking the control transfer points of conditional statements, loop structures, and exception handling to construct the control flow graph; analyzing the variable definition and usage relationships in the abstract syntax tree and / or the control flow graph, performing alias analysis for pointer type variables and reference type variables to construct the data flow graph; integrating control dependency edges and data dependency edges according to the control flow graph and the data flow graph to construct the program dependency graph; and identifying function call relationships, class inheritance relationships, and interface implementation relationships between the original code files for the abstract syntax tree, control flow graph, data flow graph, and program dependency graph of each original code file, in order to construct a global dependency graph to obtain the multi-level code representation.
[0010] Further, the process of inputting the multi-level code representation into a heterogeneous graph neural network, performing message passing and information aggregation on various nodes and dependencies through a hierarchical graph attention mechanism, and combining code semantic information for feature fusion to output a code structure vector includes: extracting the type, name, and scope attributes of each node in the multi-level code representation, as well as the dependency type and relationship features of the edges, and constructing an initial node feature matrix and an edge feature matrix; designing corresponding encoding functions for function nodes, variable nodes, and control structure nodes in the initial node feature matrix and the edge feature matrix, respectively, for call relationship edges, containment relationship edges, and... Each inheritance relationship edge is designed with a corresponding aggregation function to construct a heterogeneous graph. Nodes and paths within the pre-screening range of the security sensitive points are set as the first weight, and the remaining nodes and paths are set as the second weight, wherein the first weight is greater than the second weight. A gating mechanism is introduced to selectively filter the neighbor information of each node. Hierarchical graph attention message passing is performed on the heterogeneous graph to output node-level embedding vectors and graph-level embedding vectors. The graph-level embedding vectors are weighted and fused with the variable naming features, function name features, and API usage pattern features of the original code file through a multi-head attention mechanism to output the code structure vector.
[0011] Preferably, the step of setting nodes and paths within the pre-screening scope of the security-sensitive points as first weights and setting the remaining nodes and paths as second weights, wherein the first weight is greater than the second weight, introducing a gating mechanism to selectively filter the neighbor information of each node, performing hierarchical graph attention message passing on the heterogeneous graph, and outputting node-level embedding vectors and graph-level embedding vectors includes: matching each node in the initial node feature matrix with predefined security-sensitive operation types, setting the attention weight of the path directly associated with the successfully matched node as the first weight, and setting the attention weight of the remaining nodes and paths as the second weight, wherein the first weight is greater than the second weight, to obtain an attention weight distribution; calculating the information reception gating coefficient of each neighbor node for each node according to the attention weight distribution, performing weighted filtering on the feature vectors passed in by each neighbor node through the information reception gating coefficient to suppress information interference from irrelevant neighbor nodes; performing multi-round message passing and aggregation on the gated and filtered neighbor information and the current node features, and outputting the node-level embedding vector and the graph-level embedding vector.
[0012] Further, the identification of security-sensitive points in the original code file involves performing forward and backward slicing along the data flow direction, and outputting a set of security-concerned regions after slice optimization and cross-process integration. This includes: matching each code location in the original code file with a predefined security rule base based on the multi-level code representation and the code structure vector; simultaneously scoring each code location using learned security sensitivity patterns; fusing the rule matching results with the scoring results; and marking code locations containing input processing operations, permission checking operations, and resource operations as security-sensitive points; starting from each of these security-sensitive points... The forward influence set is obtained by tracing all program points affected by the calculation results along the forward direction of the data flow. Simultaneously, starting from each security-sensitive point, the backward dependence set is obtained by tracing all program points affecting its value along the reverse direction of the data flow. Based on the forward influence set and the backward dependence set, a graph simplification algorithm is applied to remove nodes and edges irrelevant to security analysis, connecting data flows and control flows across functions, classes, and modules. Context-sensitive strategies are used to process recursive calls and polymorphic methods. Risk weights are assigned to each security concern region, and its associated sensitive operation types, input sources, and constraints are recorded. The security concern region set is then output.
[0013] Further, the step of obtaining the optimized code security feature vector after performing denoising processing on the original feature vector through the diffusion probability model includes: quantifying the contribution of each feature dimension to vulnerability detection through information entropy calculation and information gain calculation for each feature dimension of the original feature vector to obtain the feature noise distribution; constructing positive and negative sample pairs through a contrastive learning strategy based on the feature noise distribution, generating pseudo-labels through a self-supervised learning strategy, and training the diffusion probability model using the positive and negative sample pairs and the pseudo-labels, so that the diffusion probability model learns the representation and noise distribution law of the original feature vector to obtain the trained diffusion probability model; under the federated learning framework, each participant locally uses the trained diffusion probability model to perform denoising processing on the local original feature vector, shares the model gradient with the central node, the central node aggregates the model gradient, updates the global diffusion probability model, and distributes it to each participant; after feature selection and dimensionality reduction processing, the optimized code security feature vector is obtained.
[0014] Further, the step of inputting the optimized code security feature vector into a variational autoencoder and mapping it to the latent space to establish a joint posterior distribution model of code features and vulnerability types, extracting key triggering conditions for each vulnerability type, and determining the probability distribution of vulnerability types includes: constructing a Bayesian probabilistic graphical model based on a pre-built vulnerability pattern knowledge base, wherein the variable nodes of the Bayesian probabilistic graphical model represent code features and vulnerability types, and the edges of the Bayesian probabilistic graphical model represent conditional probability relationships; inputting the optimized code security feature vector into the encoder of the variational autoencoder and mapping it to the latent space to obtain latent distribution parameters; and based on the latent distribution parameters, combining the Bayesian probabilistic graphical model... A conditional dependency structure is used to establish a joint posterior distribution model of code features and vulnerability types. Adversarial samples are constructed that are more than a preset threshold in the feature space from known vulnerability samples in the training set, but are determined to be non-vulnerable by the joint posterior distribution model. These adversarial samples are added to the training set to perform adversarial training on the joint posterior distribution model, resulting in an updated joint posterior distribution model. The optimized code security feature vector, code structure vector, and code semantic features are weighted and fused using a multi-head attention mechanism, and then input into the updated joint posterior distribution model. The confidence level of each vulnerability type is calculated, the key triggering conditions and dependencies of each vulnerability type are extracted, and the probability distribution of the vulnerability type is determined.
[0015] Furthermore, after applying consistency constraints to each expert model through a linear type system and formally representing the vulnerability assumptions, a reverse execution path is constructed. The path constraints are solved using an SMT / SAT solver to generate vulnerability trigger test cases. Combined with the hazard assessment and remediation plan, a final vulnerability report is output. This includes: selecting corresponding expert models from expert model libraries constructed for memory vulnerabilities, access control vulnerabilities, and encryption vulnerabilities respectively, based on the optimized code security feature vector and the vulnerability type probability distribution; applying consistency constraints to the input type, calculation process, and output type of the selected expert models through the linear type system; dynamically adjusting the weights based on the reliability and applicability of each expert model; and fusing static analysis results, symbolic execution results, and dynamic test results to obtain a comprehensive vulnerability assessment report. Based on the comprehensive vulnerability assessment report... The process employs sequential logic or predicate logic to represent the preconditions, triggering operations, and consequences of each potential vulnerability as formal vulnerability hypotheses. Based on these formal vulnerability hypotheses, possible execution sequences and input conditions are deduced backward from the assumed vulnerability points, constructing a vulnerability triggering path graph that includes all necessary program states and state transitions. Based on the vulnerability triggering path graph, path constraints are extracted and transformed into logical formulas acceptable to the SMT / SAT solver. The SMT / SAT solver then solves for specific input values that satisfy the logical formulas, generating vulnerability triggering test cases. Based on the actual execution results of the vulnerability triggering test cases, the attack vector, exploitation conditions, permission requirements, and potential consequences of the vulnerability are considered to assess the security risk level. A remediation plan conforming to best security practices is generated based on the vulnerability type and program context, and the final vulnerability report is output.
[0016] Preferably, the step of representing the preconditions, triggering operations, and consequences of each potential vulnerability as a formal vulnerability hypothesis based on the comprehensive vulnerability assessment report using temporal logic or predicate logic includes: for each potential vulnerability in the comprehensive vulnerability assessment report, extracting its vulnerability type identifier, triggering condition description, and impact scope description; associating the vulnerability features corresponding to the vulnerability type identifier with the triggering condition description using temporal logic operators, and constraining the impact scope description using predicate logic expressions to obtain a formal security attribute specification; and generating the formal vulnerability hypothesis based on the formal security attribute specification.
[0017] Furthermore, after outputting the final vulnerability report, the method further includes: extracting vulnerability type identifiers, triggering conditions, dependencies, and remediation schemes for vulnerabilities verified as real vulnerabilities by vulnerability triggering test cases from the final vulnerability report, and constructing a structured vulnerability pattern; writing the structured vulnerability pattern into a vulnerability pattern knowledge base, updating the code features corresponding to the triggering conditions to the detection rules in the security rule base, and updating the feature vectors corresponding to the dependencies to the security sensitive pattern, so that the updated vulnerability pattern knowledge base and the security rule base can be used for the identification of security sensitive points and the determination of vulnerability type probability distribution in the subsequent code vulnerability detection process.
[0018] Compared with the prior art, the present invention has the following technical effects:
[0019] First, by integrating abstract syntax trees, control flow graphs, data flow graphs, and program dependency graphs to construct multi-level code representations, and combining the hierarchical graph attention mechanism of heterogeneous graph neural networks, the cross-file and cross-module structural features of the code are effectively captured, significantly improving the ability to identify complex logical vulnerabilities.
[0020] Second, a diffusion probability model is used to perform denoising on code features, and a federated learning framework is combined to achieve feature sharing under privacy protection. This improves the quality of feature representation and reduces the false positive rate while protecting the security of the original code.
[0021] Third, by establishing a joint posterior distribution model of vulnerability types through variational autoencoders and introducing adversarial training, the model's generalization ability to novel vulnerability patterns is enhanced, effectively addressing detection scenarios of unknown vulnerability types.
[0022] Fourth, through the integration of multi-expert models under linear type system constraints and reverse path verification based on SMT / SAT solvers, interpretable vulnerability triggering paths and test cases are provided, enabling developers to intuitively understand the causes of vulnerabilities and quickly complete the fixes. Attached Figure Description
[0023] Figure 1 A schematic diagram of the overall process of the intelligent code vulnerability detection method based on multi-dimensional fusion provided in the embodiments of the present invention;
[0024] Figure 2 A flowchart illustrating the construction process of a multi-level code representation provided in an embodiment of the present invention;
[0025] Figure 3 A schematic diagram of the heterogeneous graph neural network structure and hierarchical graph attention mechanism provided in an embodiment of the present invention;
[0026] Figure 4 This is a schematic diagram of the process for program slicing and extraction of regions of security concern provided in an embodiment of the present invention;
[0027] Figure 5 This is a schematic diagram of the vulnerability pattern recognition process under the variational inference framework provided in this embodiment of the invention;
[0028] Figure 6 This is a schematic diagram of the reverse execution path construction and vulnerability verification process provided in an embodiment of the present invention. Detailed Implementation
[0029] Example 1
[0030] like Figure 1 As shown, a multi-dimensional fusion-based intelligent code vulnerability detection method includes:
[0031] S1: For the input raw code file, perform lexical analysis and syntax analysis through a language-specific parser, and construct an abstract syntax tree, control flow graph, data flow graph and program dependency graph respectively to obtain a multi-level code representation.
[0032] In this embodiment of the invention, the original code file can be source code files written in different programming languages such as C / C++, Java, and Python. For each programming language, a corresponding language-specific parser is applied to perform lexical analysis and syntax analysis, generating a standardized intermediate code representation. During this process, non-executable code elements such as comments and blank lines are filtered out, retaining key logical information. In this multi-level code representation, the Abstract Syntax Tree (AST) describes the syntactic structure of the code, the Control Flow Graph (CFG) describes the execution flow of the code, the Data Flow Graph (DFG) describes the definition and usage dependencies of variables, and the Program Dependency Graph (PDG) integrates control dependencies and data dependencies, comprehensively reflecting the dependencies between program elements.
[0033] Furthermore, each layer in the multi-level code representation system undertakes different semantic analysis responsibilities in the vulnerability detection task, and there is a complementary relationship between the four code representations. The abstract syntax tree provides syntactic structure information of the code, and can capture the nesting relationship and syntactic pattern of code elements, mainly supporting the detection of vulnerabilities based on syntax patterns (such as format string vulnerabilities and insecure API usage patterns); the control flow graph provides structural information of the code execution path, and can capture the control transfer relationship of conditional branches and loop structures, mainly supporting the detection of control flow-related vulnerabilities (such as conditional races and hidden logic in unreachable code); the data flow graph provides the dependency relationship of variable definition and usage, and can track the propagation path of user input data in the program, mainly supporting the detection of data flow-related vulnerabilities (such as the taint propagation path in SQL injection and cross-site scripting attacks); the program dependency graph integrates control dependency and data dependency, providing a complete dependency relationship map between program elements, and can capture data dependency relationships that cross control flow boundaries, mainly supporting the detection of complex logic vulnerabilities (such as business logic defects and privilege bypass).
[0034] Single-code representation detection methods can only capture code features in one dimension. This invention, however, integrates the four code representations mentioned above, enabling graph neural networks to simultaneously perceive the syntactic structure, control flow pattern, data dependencies, and complete dependencies of code within the same learning framework. This results in a stronger ability to identify complex logical vulnerabilities (which typically involve the cross-correlation of multi-dimensional features). Taking privilege circumvention vulnerabilities as an example: the characteristics of such vulnerabilities usually require simultaneous analysis of the control flow location of privilege check operations (control flow graph information), the data source and propagation path of privilege variables (data flow graph information), and the dependency relationship between privilege checks and sensitive operations (program dependency graph information). All three are indispensable. The multi-layered code representation system unifies the information of these three dimensions into a heterogeneous graph structure that can be input into the graph neural network for processing. This allows the graph neural network to automatically learn the joint pattern of these three dimensions through a message passing mechanism, achieving effective detection of complex logical vulnerabilities such as privilege circumvention vulnerabilities.
[0035] S2: Input the multi-level code representation into the heterogeneous graph neural network, perform message passing and information aggregation on various nodes and dependencies through the hierarchical graph attention mechanism, and perform feature fusion by combining code semantic information to output the code structure vector.
[0036] In this embodiment of the invention, the heterogeneous graph neural network is a variant of the graph neural network specifically designed to process heterogeneous graph structure data containing multiple types of nodes and edges. Unlike homogeneous graph neural networks, which assume all nodes and edges are of the same type, heterogeneous graph neural networks, by designing independent feature encoding functions and message aggregation functions for different types of nodes and edges, can simultaneously model complex interaction relationships between entities of different semantic types within a unified learning framework. Specifically, the heterogeneous graph neural network includes multiple node types (function nodes, variable nodes, control structure nodes) and multiple edge types (call relationship edges, containment relationship edges, inheritance relationship edges), enabling it to capture the diversity and complexity of code structures. The hierarchical graph attention mechanism, through adaptive weight allocation, assigns higher attention weights to nodes and paths around security-sensitive points and introduces a gating mechanism to control information flow, avoiding over-smoothing problems. Finally, it generates node-level embedding vectors and graph-level embedding vectors through multiple rounds of message passing.
[0037] Furthermore, the heterogeneous graph neural network employs a type-aware aggregation strategy during the message passing phase: for information passed between nodes of the same type, an intra-type aggregation function is used for fusion; for information passed between nodes of different types, an inter-type mapping function is used to project the feature vector of the source node onto the feature space of the target node before aggregation. Through this type-aware strategy, the model can simultaneously handle function call relationships, data dependencies, and control dependencies within a unified heterogeneous graph structure, avoiding confusion between information of different semantic types during the aggregation process.
[0038] It should be understood that the number of message passing rounds is related to the structural depth of the code graph. In one implementation, the number of message passing rounds can be set to 3 to 5 rounds, so that each node can aggregate structural information within its 3 to 5 hop neighborhood. Too few message passing rounds will cause node features to only capture local neighborhood information, making it difficult to perceive cross-function vulnerability associations; too many rounds will cause information to be overly smoothed, resulting in the embedding vectors of different nodes tending to be consistent, weakening the distinguishability between nodes. Therefore, the reasonable setting of the number of message passing rounds has an important impact on the quality of the final code structure vector.
[0039] For example, the training dataset of the heterogeneous graph neural network consists of known vulnerable code samples and normal code samples. Vulnerable samples are sourced from historical vulnerable code snippets in publicly available vulnerability databases (such as NVD and CVE databases), as well as enterprise-level code vulnerability cases manually annotated by security experts; normal samples are derived from open-source project code confirmed to be vulnerability-free through security audits. Each code sample in the training set is accompanied by a vulnerability type label and a vulnerability code location annotation. The training set is divided into a training set, a validation set, and a test set in an 8:1:1 ratio to ensure that each vulnerability type is adequately distributed across the three subsets. During the data preprocessing stage, the original code undergoes standardization processing to unify the intermediate representation format across programming languages, ensuring consistency of cross-language samples at the graph structure level.
[0040] The heterogeneous graph neural network model architecture comprises an input layer, several heterogeneous graph attention layers, and an output layer. The input layer receives the initial node feature matrix and edge feature matrix, projecting the original attributes (type, name, scope, etc.) of each type of node onto a unified feature dimension space through a type-specific linear mapping. Each heterogeneous graph attention layer performs a round of message passing and attention aggregation operations on subgraphs of different node and edge types, respectively. Residual connections between layers alleviate the gradient vanishing problem in deep networks. In one implementation, the model may contain 3 to 5 heterogeneous graph attention layers, with each layer's feature dimension set to 128 to 512 dimensions, and the final graph-level embedding vector dimension set to 256 dimensions. The output layer maps the graph-level embedding vector to a code structure vector, serving as input to subsequent analysis modules. The training process uses the Adam optimizer, with an initial learning rate of 1×10⁻⁶. -3 The training convergence condition is that the classification loss on the validation set no longer decreases after 10 consecutive epochs, and is adjusted by a decay factor of 0.1 when the validation set loss no longer decreases.
[0041] S3: Based on the multi-level code representation and the code structure vector, identify the security sensitive points in the original code file, perform forward slicing and backward slicing along the data flow direction respectively, and output a set of security concern areas after slice optimization and cross-process integration.
[0042] In this embodiment of the invention, the security-sensitive point refers to a code location that may introduce security risks, including input processing points, permission check points, and resource operation points. Forward slicing starts from the security-sensitive point and traces the propagation path of its calculation results along the forward direction of the data flow; backward slicing traces back all sources affecting the value of the security-sensitive point. By integrating and optimizing the forward influence set and the backward dependency set, a hierarchical set of security concern regions is formed, providing a focused analytical scope for subsequent feature extraction.
[0043] S4: For the set of security concern regions, construct an original feature vector containing syntax patterns, data flow features, and control flow features. After performing noise reduction processing on the original feature vector through a diffusion probability model, obtain an optimized code security feature vector.
[0044] Optionally, the original feature vector is a high-dimensional feature space representation, including syntax patterns, API usage features, data flow features, control flow features, and contextual information. The diffusion probability model recovers and enhances key features related to vulnerability identification through a stepwise denoising process, improving the signal-to-noise ratio of the feature representation and forming an optimized code security feature vector.
[0045] Specifically, the denoising process of the diffusion probability model is divided into a forward diffusion stage and a reverse denoising stage. In the forward diffusion stage, the system progressively adds Gaussian-distributed noise to the original feature vector. After a preset number of diffusion steps, the feature vector approaches a standard normal distribution. In the reverse denoising stage, the trained denoising model progressively predicts and removes the noise added at each step, ultimately recovering a clear code security feature representation from the noisy feature vector. Unlike traditional methods that directly filter feature vectors, the diffusion probability model guides the denoising process by learning the data distribution patterns in the feature space, enabling it to remove non-critical information noise while retaining deep feature patterns related to vulnerability identification.
[0046] It should be noted that the "non-critical information noise" refers to random perturbation information carried by feature dimensions in the original feature vector that contribute less than a preset threshold to distinguish vulnerability types. Sources of this noise include surface features unrelated to code security attributes, such as code comment text, differences in variable naming styles, and differences in code formatting. By identifying and filtering this noise through a contrastive learning strategy, the optimized code security feature vector can more stably reflect the security attributes of the code and reduce fluctuations in detection results caused by changes in the surface form of the code.
[0047] S5: Input the optimized code security feature vector into the variational autoencoder, map it to the latent space to establish a joint posterior distribution model of code features and vulnerability types, extract the key triggering conditions of each vulnerability type, and determine the probability distribution of vulnerability types.
[0048] In this embodiment of the invention, the variational autoencoder maps the optimized code security feature vector to the latent space through an encoder to obtain latent distribution parameters. Combined with the conditional dependency structure of a Bayesian probabilistic graphical model, a joint posterior distribution model of code features and vulnerability types is established. By performing adversarial training on the joint posterior distribution model, the model's generalization ability to unknown vulnerability patterns is enhanced. Finally, the confidence level of each vulnerability type is calculated, key triggering conditions are extracted, and the probability distribution of the vulnerability types is determined.
[0049] S6: Based on the optimized code security feature vector and the vulnerability type probability distribution, apply consistency constraints to each expert model through a linear type system, formally represent the vulnerability assumptions, perform reverse execution path construction, solve the path constraint conditions through the SMT / SAT solver to generate vulnerability trigger test cases, combine the hazard assessment and remediation plan to generate, and output the final vulnerability report.
[0050] The linear type system ensures the predictability and consistency of multi-model integrated analysis results by imposing consistency constraints on the input type, calculation process, and output type of the expert model. The SMT / SAT solver solves the constraints extracted from the reverse execution path, generating minimal test cases capable of triggering the vulnerability, thereby verifying the vulnerability's authenticity and exploitability, and generating a structured remediation plan in conjunction with the hazard assessment.
[0051] Example 2
[0052] like Figure 2 As shown, based on Example 1, the input original code file undergoes lexical analysis and syntax analysis through a language-specific parser, and abstract syntax trees, control flow graphs, data flow graphs, and program dependency graphs are constructed respectively to obtain a multi-level code representation, including:
[0053] S1.1: Based on the lexical and syntactic analysis results of the original code file, assign unique identifiers to function definitions, variable declarations, conditional statements, and loop structures, record source code location information, and construct the abstract syntax tree.
[0054] In this embodiment of the invention, the nodes of the abstract syntax tree contain code syntax structure information, such as function definitions, variable declarations, conditional statements, and loop structures. A unique identifier is assigned to each AST node, and its source code location information in the original code file is recorded to facilitate location tracing and vulnerability localization in subsequent analysis.
[0055] S1.2: Extract the basic blocks and inter-block execution paths of the abstract syntax tree, mark the control transfer points of conditional statements, loop structures and exception handling, and construct the control flow graph.
[0056] Specifically, nodes in the control flow graph represent basic blocks, i.e., continuous code segments without branches, while edges represent possible execution paths. Control transfer points such as conditional statements, loop structures, and exception handling are specially marked to distinguish between normal and abnormal execution flows, enabling accurate tracing of execution paths in subsequent slice analysis.
[0057] S1.3: Analyze the variable definition and usage relationships of the abstract syntax tree and / or the control flow graph, perform alias analysis for pointer type variables and reference type variables, and construct the data flow graph.
[0058] It should be noted that the nodes in a data flow graph represent the definition and usage points of variables, while the edges represent data dependencies. Alias analysis is performed on pointer and reference type variables to resolve the data flow tracing challenges caused by indirect references, ensuring that cross-reference data flow dependencies can be accurately modeled.
[0059] In this embodiment of the invention, alias analysis refers to an analysis technique used in program analysis to determine which different pointer variables or reference variables may point to the same memory location. When two variables are aliases of each other, a write operation to one variable will affect a read operation to the other. If this is not properly tracked, it will lead to missed tracking of data dependencies in the data flow graph, thereby affecting the completeness of subsequent slice analysis.
[0060] Specifically, the alias analysis employs a flow-insensitive pointer analysis method, using all assignment statements and function call statements in the program as constraints to solve for the possible sets of pointers each pointer variable can point to. For pointer parameters in function parameter passing, a context-sensitive strategy is used to maintain independent pointer information for different call points, avoiding mutual contamination of pointer information in different call contexts. The results of the alias analysis are stored in the form of a pointer relationship graph, and are injected into the edge set of the data flow graph as supplementary dependencies when constructing the data flow graph, thereby ensuring that data dependencies accessed indirectly through pointers can be fully captured.
[0061] S1.4: Based on the control flow graph and the data flow graph, integrate the control dependency edges and data dependency edges to construct the program dependency graph.
[0062] In this embodiment of the invention, the program dependency graph integrates control flow and data flow information. The nodes of the program dependency graph represent program statements or expressions, and the edges of the program dependency graph are divided into control dependency edges and data dependency edges, which comprehensively represent the dependency relationships between program elements, providing a complete dependency analysis basis for subsequent program slicing.
[0063] S1.5: For the abstract syntax tree, control flow graph, data flow graph, and program dependency graph of each of the original code files, identify the function call relationship, class inheritance relationship, and interface implementation relationship between the original code files in order to construct a global dependency graph and obtain the multi-level code representation.
[0064] Optionally, the global dependency graph connects the analysis results of individual files into a whole by identifying function call relationships, class inheritance relationships, and interface implementation relationships among the original code files, supporting cross-file vulnerability detection scenarios. An incremental analysis strategy is adopted, prioritizing core modules and security-sensitive components to ensure efficient resource utilization.
[0065] Example 3
[0066] like Figure 3 As shown, based on Example 1, the multi-level code representation is input into a heterogeneous graph neural network. A hierarchical graph attention mechanism is used to perform message passing and information aggregation on various nodes and dependencies. Feature fusion is then performed by combining code semantic information to output a code structure vector, including:
[0067] S2.1: Extract the type, name, and scope attributes of each node in the multi-level code representation, as well as the dependency type and relationship features of the edges, and construct the initial node feature matrix and edge feature matrix.
[0068] In this embodiment of the invention, for each node in the multi-level code representation, its type (e.g., function node, variable node, control structure node), name, and scope attributes are extracted; for each edge, its dependency type (e.g., call relationship, containment relationship, inheritance relationship) and relationship features are extracted. These attributes are vectorized to construct the initial node feature matrix and the edge feature matrix, which serve as input to the heterogeneous graph neural network.
[0069] S2.2: For the function nodes, variable nodes and control structure nodes of the initial node feature matrix and the edge feature matrix, design corresponding encoding functions respectively, and design corresponding aggregation functions for call relationship edges, containment relationship edges and inheritance relationship edges respectively, and construct heterogeneous graphs.
[0070] Specifically, the heterogeneous graph neural network designs specific encoding functions for different types of code elements and specific aggregation functions for different types of dependencies in order to capture the diversity and complexity of interactions between different elements in the code structure and avoid feature confusion caused by homogenization.
[0071] It is worth noting that designing differentiated coding functions for different types of nodes is based on the semantic differences of different code elements in vulnerability analysis. Taking function nodes as an example, their coding functions should focus on extracting attributes such as parameter types, return type, access modifiers, and control flow complexity of the function body. These attributes are closely related to the detection of function-level vulnerabilities (such as unauthorized calls and parameter injection). For variable nodes, their coding functions should focus on extracting variable data types, scope, initialization status, and lifecycle information. These attributes are directly related to the detection of memory safety vulnerabilities (such as the use of uninitialized variables and out-of-bounds access). For control structure nodes, their coding functions should focus on extracting variable composition of conditional expressions, loop termination conditions, and nesting level information. These attributes are closely related to the detection of logic vulnerabilities (such as race conditions and integer overflow).
[0072] Optionally, the selection of the aggregation function is based on the semantic directionality of the edges: call relationship edges represent the transfer of program control, and the corresponding aggregation function adopts direction-aware pooling operation to distinguish the information transmission direction between the caller node and the callee node; containment relationship edges represent the containment and nesting relationship of code elements, and the corresponding aggregation function adopts hierarchical aggregation operation to aggregate the features of inner elements upward to outer elements; inheritance relationship edges represent the behavior inheritance relationship between classes, and the corresponding aggregation function adopts incremental feature superposition operation to pass the security attribute features of the parent class node to the child class node, supporting the detection of permission inheritance vulnerabilities in polymorphic call scenarios.
[0073] S2.3: Nodes and paths within the scope of the security sensitive point pre-screening are set as the first weight, and the remaining nodes and paths are set as the second weight, wherein the first weight is greater than the second weight. A gating mechanism is introduced to selectively filter the neighbor information of each node. Hierarchical graph attention message passing is performed on the heterogeneous graph, and node-level embedding vectors and graph-level embedding vectors are output.
[0074] In this embodiment of the invention, the hierarchical graph attention mechanism is a multi-level information aggregation mechanism that introduces attention weight allocation during the message passing process of a graph neural network. Its core idea is as follows: in the aggregation of node neighborhoods at the same level, different aggregation weights are assigned to different neighbor nodes through learnable attention coefficients, enabling the model to adaptively focus on local structures that contribute more to the current task; between different levels, the local structural information of the lower level is effectively fused with the global semantic information of the higher level through the attention transfer mechanism between levels. Furthermore, by assigning the first weight to nodes and paths within the pre-screening range of security-sensitive points, the model prioritizes security-related code regions during message passing. A gating mechanism selectively filters the neighbor information received by each node, suppressing information interference from irrelevant nodes. After multiple rounds of message passing and aggregation, node-level embedding vectors and graph-level embedding vectors capturing local context and global semantics are generated.
[0075] In this embodiment of the invention, the gating mechanism is a neural network component that selectively controls the flow of information through a learnable gating function. The gating mechanism calculates the reception coefficient (gating coefficient) of the incoming information from each neighboring node based on the correlation between the features of the current node and the features of its neighboring nodes. This coefficient is then used to weight and filter the neighboring information, thereby suppressing interference from neighboring node information irrelevant to the current analysis task and preventing over-smoothing of the graph neural network during multiple rounds of message passing.
[0076] S2.4: The graph-level embedding vector is weighted and fused with the variable naming features, function name features, and API usage pattern features of the original code file through a multi-head attention mechanism to output the code structure vector.
[0077] In this embodiment of the invention, the multi-head attention mechanism performs weighted fusion of graph-level embedding vectors and code semantic information (variable naming features, function name features, API usage pattern features), so that the code structure vector simultaneously contains syntactic structure, control flow, data flow and semantic information, forming a comprehensive code feature representation.
[0078] Example 4
[0079] Based on Example 3, the nodes and paths within the pre-screening scope of the security sensitive points are set as the first weight, and the remaining nodes and paths are set as the second weight, wherein the first weight is greater than the second weight. A gating mechanism is introduced to selectively filter the neighbor information of each node, hierarchical graph attention message passing is performed on the heterogeneous graph, and node-level embedding vectors and graph-level embedding vectors are output, including:
[0080] S2.3.1: Match each node in the initial node feature matrix with a predefined security-sensitive operation type, set the attention weight of the path directly associated with the successfully matched node as the first weight, and set the attention weight of the remaining nodes and paths as the second weight, wherein the first weight is greater than the second weight, to obtain the attention weight distribution.
[0081] In this embodiment of the invention, the predefined security-sensitive operation types include node type features corresponding to input processing operations, permission checking operations, and resource operations. By matching each node in the initial node feature matrix with the aforementioned security-sensitive operation types one by one, the successfully matched nodes and their directly associated paths are assigned to a first weight range, forming the attention weight distribution, so that the model prioritizes focusing on security-sensitive areas during subsequent message passing.
[0082] S2.3.2: Based on the attention weight distribution, calculate the information reception gating coefficient of each node for each of its neighboring nodes, and perform weighted filtering on the feature vectors passed in by each neighboring node through the information reception gating coefficient to suppress information interference from irrelevant neighboring nodes.
[0083] Specifically, the information reception gating coefficient is calculated based on the weight difference between the neighboring node and the current node in the attention weight distribution. The greater the weight difference, the smaller the gating coefficient, and the higher the proportion of information from the corresponding neighboring node that is filtered. This mechanism effectively avoids the over-smoothing problem caused by the aggregation of distant irrelevant nodes, and preserves the key structural information of security-sensitive areas.
[0084] S2.3.3: Perform multiple rounds of message passing and aggregation on the gated and filtered neighbor information and the current node features, and output the node-level embedding vector and the graph-level embedding vector.
[0085] It is worth noting that the number of rounds of the multi-round message passing is dynamically determined based on the average path depth of the code graph to ensure that each node can aggregate neighbor information covering its security concern area. After each round of aggregation, the node features are normalized to suppress numerical divergence, and finally, stable node-level embedding vectors and graph-level embedding vectors are output.
[0086] Example 5
[0087] like Figure 4 As shown, based on Example 1, the identification of security-sensitive points in the original code file involves performing forward slicing and backward slicing along the data flow direction, respectively. After slice optimization and cross-process integration, the output is a set of security concern regions, including:
[0088] S3.1: Based on the multi-level code representation and the code structure vector, match each code position in the original code file with a predefined security rule base, and score each code position using the learned security sensitivity pattern. Merge the rule matching result and the scoring result, and mark the code positions containing input processing operations, permission checking operations and resource operations as security sensitive points.
[0089] In this embodiment of the invention, the predefined security rule base contains predefined code feature rules for common vulnerability types (such as buffer overflows, SQL injection, and privilege escalation); the learned security sensitivity patterns are automatically learned by the model from historical vulnerability data. By fusing the rule matching results with the model score, the accuracy of expert knowledge is preserved while enhancing the adaptability to unknown vulnerability patterns.
[0090] S3.2: Starting from each of the security-sensitive points, trace all program points affected by their calculation results along the forward direction of the data flow to obtain the forward influence set; at the same time, starting from each of the security-sensitive points, trace all program points affected by their values along the reverse direction of the data flow to obtain the backward dependency set.
[0091] In practical implementation, the forward influence set reveals the propagation path of security-sensitive data and potential vulnerability trigger points; the backward dependency set reveals the input sources and constraints of security-sensitive operations. Combined, these two sets can comprehensively characterize the scope of influence and dependency boundaries of security-sensitive points within the program.
[0092] The technical principle behind the collaborative operation of forward and backward slicing is as follows: For a security-sensitive point, the formation of a vulnerability typically involves information flow in two directions: first, the source and input path of sensitive data (captured by backward slicing), which determines the triggering input conditions of the vulnerability; and second, the scope of influence of the sensitive operation results (captured by forward slicing), which determines the scope of harm after the vulnerability is triggered. Using only backward slicing can determine the triggering conditions but cannot assess the scope of influence; using only forward slicing can assess the scope of influence but cannot determine the constraints of the triggering inputs. By taking the intersection of the forward influence set and the backward dependency set and then integrating them, the security concern region set can simultaneously contain all the input constraint information required for vulnerability triggering and the influence path information after vulnerability triggering, providing complete bidirectional information support for subsequent SMT / SAT constraint solving.
[0093] Specifically, the collaboration between forward and backward slicing can be described using the following steps. Taking a typical buffer overflow vulnerability scenario as an example: the system first identifies array write operations as a security sensitive point; the backward slice starts from this security sensitive point and traces back to all possible sources of the index variable of the write operation, forming a backward dependency set. This set reveals that the index variable may come from external user input and has not undergone boundary checks; the forward slice starts from the same security sensitive point and traces forward to the memory regions that the array write operation may affect and subsequent read operations, forming a forward impact set. This set reveals that the overflow write operation may overwrite the function return address in adjacent memory. Integrating the backward dependency set and the forward impact set into the security concern region set allows subsequent analysis to simultaneously consider the vulnerability triggering condition (index out of bounds) and the vulnerability exploitation path (overwriting the return address) in the same context, generating a more complete vulnerability assessment report.
[0094] S3.3: Based on the forward influence set and the backward dependency set, apply a graph simplification algorithm to remove nodes and edges that are irrelevant to security analysis, connect data flows and control flows across functions, classes, and modules, process recursive calls and polymorphic methods with a context-sensitive strategy, assign risk weights to each security concern region and record its associated sensitive operation types, input sources, and constraints, and output the set of security concern regions.
[0095] It should be understood that the graph simplification algorithm removes redundant nodes and edges while preserving the integrity and accuracy of the slices, reducing the scale of subsequent analysis. For recursive calls and polymorphic methods, the context-sensitive strategy maintains independent context information for each call point, avoiding data flow confusion between different call contexts. The allocation of risk weights is based on the danger level of the sensitive operation type, the credibility of the input source, and the completeness of the constraints.
[0096] Furthermore, the cross-process integration refers to the process of connecting the forward influence set and backward dependency set involving function call boundaries during the slice optimization phase. When the data flow path of a security-sensitive point crosses the function call boundary, the system locates the parameter binding relationship and return value passing relationship of the called function by querying the global dependency graph, and splices the data flow path fragment inside the called function with the data flow path fragment at the call point to form a complete cross-process slice. The above cross-process connection supports chain tracing of multi-level function calls and can identify data dependencies passed through multiple function call levels.
[0097] The specific implementation of the context-sensitive strategy for recursive calls is as follows: The system assigns an independent call context identifier to each function call, which is generated by concatenating the position information of each call point in the call path. During slice analysis, the system maintains a set of currently active call contexts. For cases where the same function is accessed in different call contexts, independent slice fragments are generated separately instead of merging them. Simultaneously, the system sets a call depth limit to prevent infinite slice calculations caused by recursive calls; when the call depth exceeds the preset limit, the system adopts a conservative strategy to mark all parameters of the function as potentially affected nodes, preserving the safety of the slice.
[0098] Example 6
[0099] Based on Example 1, the step of obtaining the optimized code security feature vector after performing denoising processing on the original feature vector using a diffusion probability model includes:
[0100] S4.1: For each feature dimension of the original feature vector, the contribution of each feature dimension to vulnerability detection is quantified by calculating information entropy and information gain, and the feature noise distribution is obtained.
[0101] In this embodiment of the invention, for each feature dimension of the original feature vector, its information entropy is calculated to measure the information content of that dimension, and its information gain is calculated to measure the distinguishing power of that dimension between vulnerable and non-vulnerable samples. Feature dimensions whose contribution is below a preset threshold are identified as noise components, forming the feature noise distribution map, which serves as a guide for training the diffusion probability model.
[0102] S4.2: Based on the feature noise distribution, construct positive and negative sample pairs through a contrastive learning strategy, generate pseudo-labels through a self-supervised learning strategy, and train a diffusion probability model using the positive and negative sample pairs and the pseudo-labels, so that the diffusion probability model learns the representation of the original feature vector and the noise distribution law, thereby obtaining the trained diffusion probability model.
[0103] In this embodiment of the invention, the contrastive learning strategy is a self-supervised learning method that learns data representations by constructing positive and negative sample pairs. Its core idea is to bring the feature representations of semantically similar samples (positive sample pairs) closer together in the feature space, while simultaneously moving the feature representations of semantically dissimilar samples (negative sample pairs) further apart, thereby training the model to learn more discriminative feature representations without relying on a large number of manually labeled category tags.
[0104] The contrastive learning strategy constructs positive and negative sample pairs by comparing the feature vectors of known vulnerability samples with the feature vectors of normal code samples, thereby enhancing the model's ability to distinguish between vulnerability features and noise features. The self-supervised learning strategy generates pseudo-labels by adding noise of known distribution to the original feature vectors, guiding the model to learn denoising mappings, so that the diffusion probability model can obtain effective denoising capabilities without the need for a large amount of labeled data.
[0105] In this embodiment of the invention, the self-supervised learning strategy is a machine learning method that automatically generates supervision signals using the inherent structural information of the data itself, enabling model training without manual annotation. In the feature denoising task of this invention, the self-supervised learning strategy generates pseudo-labels by applying a noise transformation with a known distribution to the original feature vector. Using the noisy version as input and the original version as the target output, it guides the denoising model to learn the noise removal mapping in the feature space.
[0106] S4.3: Under the federated learning framework, each participant locally uses the trained diffusion probability model to perform denoising processing on the local original feature vector, shares the model gradient with the central node, the central node aggregates the model gradient, updates the global diffusion probability model and distributes it to each participant, and after feature selection and dimensionality reduction processing, the optimized code safety feature vector is obtained.
[0107] Furthermore, the federated learning framework ensures that the original code files of each participant do not leave their local environment, and participate in global model updates only by sharing model gradients, thus protecting code privacy and security. The central node uses a federated averaging algorithm to aggregate the model gradients of each participant and update the global diffusion probability model. Feature selection retains feature dimensions that contribute highly to vulnerability detection, and dimensionality reduction compresses the feature space to obtain the optimized code security feature vector.
[0108] It should be noted that the federated averaging algorithm, when aggregating the model gradients uploaded by each participant, performs a weighted average with the number of local training samples of each participant as the weight, so that the contribution of participants with more training data to the global model update matches their data size. In one implementation, if participant A's local training set contains n_A samples and participant B's local training set contains n_B samples, the central node will weight the gradients uploaded by both parties according to the ratios n_A / (n_A+n_B) and n_B / (n_A+n_B) to obtain the global gradient update amount, which is then applied to the parameter update of the global diffusion probability model.
[0109] Furthermore, to enhance the privacy protection capabilities of the federated learning framework, each participant can perform differential privacy processing on the gradient vector before uploading the model gradient to the central node. This involves adding random noise conforming to a Laplace or Gaussian distribution to the gradient vector, preventing the central node from inferring the participants' local training data from the gradient information. The strength of the added noise is controlled by the privacy budget parameter; a smaller privacy budget results in stronger noise and higher privacy protection, but also a greater impact on the global model convergence accuracy. The system can flexibly configure the privacy budget parameter for each participant based on their privacy protection requirements.
[0110] The technical definition of the feature extraction mechanism enhanced by the diffusion probability model is as follows: This mechanism is a feature optimization method that applies a diffusion probability generative model to the task of code security feature denoising. Unlike traditional feature selection methods based on threshold filtering, the diffusion probability model reconstructs key signals in the feature vector in a generative denoising manner by learning the data distribution patterns in the code security feature space, rather than simply truncating low-contribution feature dimensions. Its core idea is that the noise in the code security feature vector is not uniformly distributed across all dimensions, but rather coupled with effective features in a complex nonlinear way; by learning the true data distribution of features, the diffusion probability model can correct along the direction of the true distribution during the denoising process, thereby preserving the semantic integrity of effective features to the greatest extent while removing noise.
[0111] The diffusion probability model is based on a Markov chain process. The forward diffusion process defines a Markov chain that progressively degenerates from the original feature distribution to a standard normal distribution. The variance of the Gaussian noise added at each step is controlled by a preset noise scheduling function, making the entire diffusion process reversible. The reverse denoising process trains a denoising neural network to predict and remove the added noise components at each diffusion step, thus progressively recovering a clear code-safe feature representation along the Markov chain. Because the reverse denoising process is a conditional sampling process of the true feature distribution, its denoising result always falls within a reasonable feature distribution range, avoiding the feature distortion problem common in traditional filtering methods.
[0112] The specific implementation process of the diffusion probability model is as follows. In the training phase: First, the system extracts the original feature vectors of each code sample from the labeled vulnerability dataset to construct a training set. Then, for each original feature vector in the training set, Gaussian noise is added sequentially in diffusion steps 1 to T (T is the preset total number of diffusion steps; in one implementation, T can be set to 1000 steps) according to a preset noise scheduling function. In each diffusion step t, random sampling is performed from the noisy feature vector, and a denoising neural network is trained to predict the noise component added in that step, with the mean squared error as the loss function for parameter optimization. The training convergence condition is that the denoising loss on the validation set no longer decreases, or the preset upper limit of the training rounds is reached. In the inference phase: For the original feature vector of the code to be detected, the system first performs forward diffusion to step t according to the feature noise distribution (t is determined based on the average intensity of the feature noise distribution, generally 20% to 50% of T). Then, the trained denoising neural network is called to perform reverse denoising starting from step t*, gradually recovering the optimized code security feature vector.
[0113] Through the aforementioned diffusion probability model denoising mechanism, this invention achieves the following technical effects: First, the optimized code security feature vector after denoising has a higher signal-to-noise ratio, which improves the accuracy of vulnerability type identification in the subsequent variational inference framework, especially for code samples with severe feature noise interference (such as legacy code that has undergone code obfuscation or multiple refactorings); Second, since the denoising process of the diffusion probability model proceeds along the true feature distribution, the generalization of the denoising result is better than feature filtering based on a fixed threshold, and it can adaptively handle the differences in feature noise distribution between different programming languages and different coding styles; Third, the combination of the denoising model and the federated learning framework enables all participants to jointly improve the denoising effect without sharing the original code, achieving synergistic optimization of security and model performance.
[0114] Taking a specific application scenario as an example: Suppose a code sample, after multiple functional iterations, has a large number of legacy debugging variable names (such as tmp1, tmp2, flag_old, etc.). These naming features contribute very little to distinguishing vulnerability types, but occupy a large number of feature dimensions in the original feature vector, interfering with the true security attribute features. Through the aforementioned feature noise distribution analysis, the system identifies the aforementioned low-contribution feature dimensions and uses this as a guide to set the forward diffusion step number t*. This allows the diffusion probability model to focus on restoring the high-contribution feature dimensions related to input processing operations and permission checking operations during the reverse denoising stage, while smoothly compressing the debugging naming feature dimensions. The final output optimized code security feature vector can accurately capture the permission checking missing vulnerabilities in the code sample, unaffected by surface naming noise.
[0115] The applicability principle of the federated learning framework in code security feature sharing scenarios is as follows: In practical applications of enterprise-level code security detection, the various code repositories involved in vulnerability detection (such as code assets from different enterprises or business departments) typically involve trade secrets, core algorithms, and sensitive business logic, making it impossible to centrally upload them to a unified training platform. Traditional centralized model training methods require each participant to upload their original code or code feature vectors to a central server, posing a security risk of original code leakage. The federated learning framework, by distributing the model training process, enables each participant to contribute to the optimization of the vulnerability detection model without exposing the original code content, demonstrating significant practical value in scenarios such as multi-enterprise joint vulnerability detection and open-source code security audit alliances.
[0116] The specific collaborative training process of the federated learning framework is as follows. In the initialization phase, the central node distributes the pre-trained initial diffusion probability model to each participant. In each round of federated training iteration, each participant performs the following operations: First, it constructs a local training set using code samples from its local code repository and extracts the original feature vectors; then, it performs several steps of gradient descent updates locally using the current global diffusion probability model, calculating the gradient increment of the local model parameters relative to the global model parameters; finally, it uploads the gradient increment (not the local model parameters or local data) to the central node. After collecting the gradient increments uploaded by each participant, the central node performs federated averaging aggregation, calculating a weighted average gradient using the size of each participant's local training set as the weight, and applies the aggregated gradient to the parameter update of the global diffusion probability model. After completing the global model update, the central node redistributes the updated global diffusion probability model to each participant and begins the next round of federated training iteration. The above iterative process continues until the denoising performance of the global diffusion probability model on the validation set converges. In one implementation, the convergence criterion for federated training is: training stops when the feature reconstruction error on the validation set decreases by less than 0.1% after five consecutive rounds of global model updates, or when the preset maximum number of federated training rounds (e.g., 100 rounds) is reached.
[0117] Furthermore, the gradient increments uploaded by each participant in the federated learning framework can undergo differential privacy processing according to privacy protection requirements, i.e., random noise conforming to a Gaussian mechanism is injected into the gradient increment vector. This Gaussian mechanism involves clipping the L2 norm of the gradient vector to a preset upper limit (gradient clipping operation) and then adding Gaussian noise whose variance is inversely proportional to the privacy budget, making it difficult for the central node to recover the individual training sample information carried in the gradient increment through gradient inversion attacks. In one implementation, the privacy budget parameter ε can be set between 1.0 and 10.0; the smaller the ε, the stronger the privacy protection and the greater the impact on the convergence of the global model. The system can configure different ε parameter values for different participants according to their privacy protection requirements, achieving differentiated privacy protection strategies.
[0118] Example 7
[0119] like Figure 5 As shown, based on Example 1, the optimized code security feature vector is input into a variational autoencoder, mapped to a latent space to establish a joint posterior distribution model of code features and vulnerability types, extracts key triggering conditions for each vulnerability type, and determines the probability distribution of vulnerability types, including:
[0120] S5.1: Based on the pre-built vulnerability pattern knowledge base, construct a Bayesian probabilistic graphical model, wherein the variable nodes of the Bayesian probabilistic graphical model represent code features and vulnerability types, and the edges of the Bayesian probabilistic graphical model represent conditional probability relationships.
[0121] In this embodiment of the invention, the vulnerability pattern knowledge base is constructed from security expert knowledge and historical vulnerability data. Each vulnerability pattern includes elements such as vulnerability feature description, triggering conditions, impact scope, and exploitation method. The Bayesian probabilistic graphical model uses the vulnerability pattern knowledge base as prior knowledge. It establishes a correlation between code features and vulnerability types through the variable nodes of the Bayesian probabilistic graphical model, and establishes a conditional dependency between the edge coding features of the Bayesian probabilistic graphical model and the vulnerability type.
[0122] In this embodiment of the invention, the Bayesian probabilistic graphical model is a probabilistic generative model that combines probability theory with graph structure. It represents the conditional dependencies between random variables in the form of a directed acyclic graph. Each node in the graph corresponds to a random variable, and each directed edge represents the conditional probabilistic dependency between variables. The entire model defines the joint probability distribution of all variables and supports Bayesian inference of the remaining variables given the observation of some variables.
[0123] S5.2: Input the optimized code security feature vector into the encoder of the variational autoencoder and map it to the latent space to obtain the latent distribution parameters.
[0124] In this embodiment of the invention, the variational autoencoder is a generative deep learning model that combines variational inference with an autoencoder structure. The variational autoencoder maps input data to probability distribution parameters (mean and variance) in the latent space through an encoder, and samples latent vectors from this distribution using reparameterization techniques. The decoder then reconstructs the original data from the latent vectors. Unlike deterministic autoencoders, the variational autoencoder represents latent features using probability distributions rather than deterministic point vectors, enabling it to model the inherent uncertainty of the data and support the generation of new data samples from the latent distribution. Specifically, the encoder of the variational autoencoder maps the optimized code safety feature vector to the mean and variance vectors in the latent space, constituting the latent distribution parameters. The latent vectors are sampled from the latent distribution using reparameterization techniques, capturing the uncertainty representation of code features in the latent space.
[0125] The variational inference framework applied to vulnerability pattern recognition is defined as follows: Variational inference is an approximate inference method that transforms the exact inference problem of Bayesian posterior distribution into a variational optimization problem. In this invention, the variational autoencoder, as the core component of the variational inference framework, models the probability distribution of code security features in the latent space, capturing the complex statistical dependencies between features of different vulnerability types. This enables the system to infer the joint probability of the same code segment belonging to multiple vulnerability types, rather than performing independent single-class classification judgments.
[0126] The variational inference framework applied to vulnerability pattern recognition follows these technical principles: Vulnerability detection is essentially a distribution estimation problem that distinguishes between normal code and vulnerable code in a high-dimensional feature space. The feature distributions of the two types of samples overlap (i.e., potentially vulnerable code with ambiguous boundaries). Deterministic classification models alone cannot accurately quantify the uncertainty of these boundary regions. The variational autoencoder maps code security features to probability distributions in the latent space (rather than deterministic point vectors), enabling the system to sample the vulnerability attribution of the same code feature multiple times during the inference phase. The concentration of the sampling results quantifies the detection confidence: a high concentration of sampling results in a specific vulnerability type region indicates a high confidence level in the vulnerability assessment; a dispersion of sampling results across multiple regions indicates that the code sample belongs to a potentially vulnerable vulnerability with ambiguous boundaries, requiring further verification.
[0127] The adversarial training mechanism is as follows: First, the system searches the latent space of the joint posterior distribution model for neighborhood regions of the latent representations of known vulnerability samples, locating latent vectors whose distance from the known vulnerability samples in the feature space exceeds a preset threshold but which the current model fails to correctly identify. Then, the system decodes these latent vectors into corresponding code feature vectors using a decoder, constructing the adversarial sample. After adding the adversarial sample to the training set with the vulnerability sample label, the system performs several rounds of adversarial training iterations on the joint posterior distribution model, using the weighted sum of contrastive loss and reconstruction loss as the objective function, driving the model to expand its recognition boundary for known vulnerability variants. It is worth noting that the execution frequency of the adversarial training can be set to trigger once after completing a certain number of regular detection tasks to avoid interference with the performance of normal detection tasks.
[0128] In this embodiment of the invention, the training objective function of the variational autoencoder consists of two parts: a reconstruction loss and a KL divergence regularization term. The reconstruction loss measures the difference between the decoder output and the original input feature vector, using mean squared error as the metric. The KL divergence regularization term constrains the deviation between the latent distribution and the standard normal prior distribution, preventing excessive fragmentation of the latent space. The two losses are balanced by a weighting coefficient β, the value of which can be dynamically adjusted according to the vulnerability type identification accuracy on the validation set. In one implementation, β can be initialized to 1.0.
[0129] S5.3: Based on the potential distribution parameters and the conditional dependency structure of the Bayesian probabilistic graphical model, establish a joint posterior distribution model of code features and vulnerability types.
[0130] In this embodiment of the invention, the joint posterior distribution model is a probabilistic model that estimates the joint probability distribution between code security features and vulnerability types posteriorly within a variational inference framework. This model uses Bayesian inference to calculate the posterior probability of each vulnerability type given observed code security features, while simultaneously modeling the conditional dependencies between different vulnerability types. This enables joint probability inference for the same code segment potentially belonging to multiple vulnerability types, rather than independent single-label classification. In this embodiment, the joint posterior distribution model, within the latent space of the variational autoencoder, combines the conditional dependency structure of the Bayesian probabilistic graphical model to model the joint probability distribution of code features and vulnerability types. This model can capture complex conditional dependencies and uncertainties, making it suitable for identifying complex logic vulnerabilities triggered by multiple feature combinations.
[0131] S5.4: Construct adversarial samples that are more than a preset threshold in the feature space of known vulnerability samples in the training set, but are determined to be non-vulnerable by the joint posterior distribution model. Add the adversarial samples to the training set to perform adversarial training on the joint posterior distribution model to obtain the updated joint posterior distribution model.
[0132] The adversarial samples are constructed by searching for code feature vectors that satisfy the above conditions in the feature space. These samples represent vulnerability variants that the current model has blind spots in. After adding the adversarial samples to the training set, the joint posterior distribution model is retrained to expand its recognition boundary for known vulnerability variants and improve its generalization ability to new vulnerability patterns.
[0133] S5.5: After weighted fusion of the optimized code security feature vector, the code structure vector, and the code semantic features through a multi-head attention mechanism, the result is input into the updated joint posterior distribution model to calculate the confidence level of each vulnerability type, extract the key triggering conditions and dependencies of each vulnerability type, and determine the probability distribution of the vulnerability type.
[0134] Furthermore, the multi-head attention mechanism performs multi-angle weighted fusion of the optimized code security feature vector, the code structure vector, and the code semantic features, enhancing the model's ability to understand different modalities in complex vulnerability scenarios. The updated joint posterior distribution model outputs the confidence score for each vulnerability type and extracts the key triggering conditions and dependencies for each possible vulnerability type, forming a structured vulnerability description, and finally determining the probability distribution of the vulnerability types.
[0135] Example 8
[0136] like Figure 6 As shown in Example 1, after applying consistency constraints to each expert model through a linear type system and formally representing the vulnerability assumptions, a reverse execution path is constructed. The path constraints are then solved using an SMT / SAT solver to generate vulnerability trigger test cases. These cases are then combined with hazard assessments and remediation plans to generate and output a final vulnerability report, including:
[0137] S6.1: Based on the optimized code security feature vector and the vulnerability type probability distribution, select the corresponding expert model from the expert model libraries constructed for memory vulnerabilities, access control vulnerabilities and encryption vulnerabilities respectively. Apply consistency constraints to the input type, calculation process and output type of the selected expert model through the linear type system. Dynamically adjust the weights based on the reliability and applicability of each expert model. Combine the static analysis results, symbolic execution results and dynamic test results to obtain a comprehensive vulnerability assessment report.
[0138] In this embodiment of the invention, the expert model library contains specialized detection models for different vulnerability types, and the corresponding expert model is selected according to the probability distribution of the vulnerability type. The linear type system, based on linear type theory, imposes type consistency constraints on the input type, calculation process, and output type of each expert model, ensuring that the analysis results of different expert models are semantically consistent and avoiding contradictory comprehensive detection conclusions. The dynamic weight adjustment mechanism adaptively allocates fusion weights based on the reliability of each expert model in historical detection tasks and its applicability to the current vulnerability type.
[0139] The linear type system applied to multi-model ensemble analysis is defined as follows: A linear type system is a formal constraint mechanism introduced from type theory. Its core characteristic is that each typed resource can only be used once during its lifetime (linearity constraint). In the vulnerability detection scenario of this invention, the linear type system is applied to constrain the access and processing behavior of each expert model to the code security feature vector: the input feature vector received by each expert model is regarded as a linear resource. After the expert model completes the analysis and outputs the result, the input resource is marked as consumed, and other expert models cannot receive the same input with the same type again, thereby preventing multiple expert models from drawing semantically contradictory analytical conclusions on the same code segment at the system level.
[0140] The technical principle of the linear constraint lies in eliminating semantic inconsistencies in multi-model integration. In traditional multi-model integration frameworks, different expert models may provide contradictory analysis results for the same code feature (for example, a memory vulnerability detection model considers memory access to a certain variable legal, while an access control vulnerability detection model considers the same variable to have a risk of privilege circumvention). Such contradictions can lead to the mutual cancellation of decision weights during the weighted fusion stage, reducing the reliability of the comprehensive assessment report. The linear type system defines strict type signatures for the input type, calculation process, and output type of each expert model, enabling the system to statically verify whether the analysis results of each expert model meet the type consistency requirements before integration analysis: if the output types of two expert models contradict each other, the system automatically triggers a conflict resolution mechanism before fusion, rather than directly performing a weighted average, thereby ensuring the semantic consistency and reliability of the comprehensive vulnerability assessment report.
[0141] Specifically, the implementation process of the linear type system imposing constraints on expert models is as follows: The system defines a set of type labels for the security attributes of each type of vulnerability. For example, for memory security attributes, it defines the types Safe_Memory and Unsafe_Memory, which are mutually exclusive; for access control attributes, it defines the types Authorized and Unauthorized, which are also mutually exclusive. The output of each expert model is mapped to the above type labels. The output of the memory vulnerability expert model is labeled as Safe_Memory or Unsafe_Memory, and the output of the access control vulnerability expert model is labeled as Authorized or Unauthorized. During the integration and fusion phase, the system checks whether there are cases where the same code location is simultaneously labeled as Safe_Memory and Authorized but logically contradictory. For analysis results with type conflicts, the system performs conflict priority adjudication based on the reliability weight of each expert model, taking the conclusion of the expert model with the higher reliability weight as the standard, and records the conflict information in the comprehensive vulnerability assessment report for manual review.
[0142] Through the constraints of the linear type system, the multi-model integrated analysis of the present invention achieves the following technical effects: the vulnerability descriptions in the comprehensive vulnerability assessment report maintain internal semantic consistency, avoiding the presentation of contradictory remediation suggestions to developers; the analysis results of each expert model retain type traceability, enabling developers to clearly know which expert model each vulnerability description comes from, thus enhancing the interpretability of the comprehensive assessment results.
[0143] To illustrate with a concrete example: Suppose the code under test contains a database query function whose parameters come from external user input and are not escaped. After analyzing the memory access behavior of this function, a memory vulnerability expert model labels the output type as Safe_Memory (valid memory access boundaries); after analyzing the source of the input parameters of this function, an access control vulnerability expert model labels the output type as Unauthorized (potential for SQL injection). The system detects that the outputs of the two expert models do not conflict in type at this code location (Safe_Memory and Unauthorized belong to different security attribute dimensions and can coexist), so it directly performs a weighted fusion, and the comprehensive risk assessment conclusion for this code location is: memory safe but access control vulnerability exists, which is output to the comprehensive vulnerability assessment report.
[0144] S6.2: Based on the comprehensive vulnerability assessment report, use sequential logic or predicate logic to represent the preconditions, triggering operations and consequences of each potential vulnerability as formal vulnerability assumptions.
[0145] In this embodiment of the invention, the formal vulnerability hypothesis refers to the process and result of expressing the preconditions, triggering operations, and triggering consequences of a vulnerability as a machine-verifiable logical formula using formal logic language (sequential logic or predicate logic). The core value of formal representation lies in transforming vulnerability inferences described in natural language into mathematically rigorous logical specifications, which can then be directly processed and verified by automated reasoning tools such as SMT / SAT solvers.
[0146] In this embodiment of the invention, the temporal logic is a formal logic system used to describe the evolutionary laws of propositions in the time dimension. By introducing temporal operators such as "always (G)," "finally (F)," and "until (U)," it can accurately express the state transition constraints of a program in the execution sequence and is widely used for the formal description of program verification and security attribute specifications. The predicate logic is a logic system that accurately characterizes variable relationships and constraints through quantifiers (universal quantifier ∀ and existential quantifier ∃) and predicate functions. It can express the range of variable values, memory boundary conditions, and spatial constraints of program states. Specifically, temporal logic is suitable for representing vulnerability triggering conditions involving program state sequences (such as condition race vulnerabilities), while predicate logic is suitable for representing vulnerability attributes involving variable constraints and spatial relationships (such as buffer overflow vulnerabilities). Transforming the formal vulnerability assumptions into a formal expression that can be directly processed by subsequent reverse execution path construction makes the vulnerability verification process mathematically rigorous.
[0147] S6.3: Based on the formal vulnerability assumptions, reverse the possible execution sequence and input conditions from the assumed vulnerability point, and construct a vulnerability triggering path diagram that includes all necessary program states and state transitions.
[0148] The reverse execution technique starts from the hypothetical vulnerability point and traverses the program dependency graph in reverse, collecting all necessary program states and state transitions that make the vulnerability conditions valid, forming a complete vulnerability triggering path graph. This path graph explicitly records the initial input conditions, intermediate program states, and the final vulnerability trigger point required to trigger the vulnerability, providing complete path information for subsequent constraint solving.
[0149] S6.4: Based on the vulnerability triggering path diagram, extract the path constraints and transform them into logical formulas acceptable to the SMT / SAT solver. Solve the specific input values that satisfy the logical formulas using the SMT / SAT solver to generate vulnerability triggering test cases.
[0150] In this embodiment of the invention, SMT (Satisfiability Modulo Theories) solvers and SAT (Boolean Satisfiability) solvers are automated reasoning tools used to determine the satisfiability of logical formulas and provide a satisfying solution when it is satisfiable. SAT solvers handle the satisfiability of pure Boolean logic formulas; SMT solvers, building upon SAT solvers, extend support for background theories such as integer arithmetic, array theory, and bit vectors, enabling them to handle complex path constraints including numerical constraints and memory models, and are widely used in program verification and symbolic execution. It should be noted that the path constraints include the judgment conditions of each branch in the vulnerability triggering path graph, variable assignment conditions, and memory access constraints. By solving the logical formula using SMT or SAT solvers, specific input values satisfying all path constraints are obtained, constructing a minimum test case capable of triggering the vulnerability, and verifying the actual existence of the vulnerability by actually executing the minimum test case, effectively avoiding false positives.
[0151] The technical definition of the reverse-derived interpretability verification framework is as follows: This framework is a post-processing mechanism that combines formal verification methods with reverse execution techniques to verify the reachability of vulnerability detection results. Unlike methods that rely solely on model output confidence scores to filter false positives, this interpretability verification framework verifies the actual triggerability of vulnerabilities from both mathematical and engineering perspectives by actually constructing vulnerability trigger paths and generating specific trigger inputs. Its core value lies in two aspects: firstly, verifying the reachability of vulnerability trigger paths through SMT / SAT solvers confirms the existence of vulnerabilities rather than false positives; secondly, the generated vulnerability trigger path graph and test cases serve as an interpretable chain of evidence, enabling developers to directly understand the vulnerability's trigger mechanism without having to reproduce the vulnerability themselves.
[0152] The key difference between the reverse execution technique and the forward symbolic execution technique in constructing the vulnerability triggering path graph lies in the starting point and direction of the analysis. Forward symbolic execution starts from the program entry point and traverses all possible execution paths forward along the program control flow graph, recording path constraints when a suspected vulnerability point is reached. Because forward symbolic execution requires exploring an exponentially large path space, it faces a severe path explosion problem in complex programs. The reverse execution technique, on the other hand, starts from the hypothetical vulnerability point and traverses backward along the program dependency graph, tracking only the minimum set of dependencies related to the vulnerability point. Since the starting point of the reverse traversal has been precisely located by the set of security concern areas, the search space is significantly compressed into program subgraphs that depend on the vulnerability point, effectively avoiding the path explosion problem.
[0153] The technical mechanism by which the SMT / SAT constraint solver eliminates false positives is as follows: One of the main sources of false positives in current code vulnerability detection systems is "infeasible path false positives"—that is, the model identifies a program path that theoretically contains a vulnerability, but this path can never be reached during actual program execution due to unmet constraints. The SMT / SAT solver verifies the satisfiability of the path constraints extracted from the vulnerability triggering path graph, accurately identifying the aforementioned infeasible path scenarios: if the solver returns an "unsatisfiable" conclusion, the vulnerability is confirmed as an infeasible path false positive and filtered out from the final vulnerability report; if the solver returns a "satisfiable" conclusion and provides specific input values that satisfy the constraints, the vulnerability is confirmed as a real triggerable vulnerability, and the specific input values are included in the report as vulnerability triggering test cases. Through this reachability filtering mechanism, all vulnerabilities output in the final vulnerability report undergo formal reachability verification, significantly reducing the proportion of untriggerable vulnerabilities in the report.
[0154] S6.5: Based on the actual execution results of the test cases triggered by the vulnerability, consider the attack vector, exploitation conditions, permission requirements and potential consequences of the vulnerability, assess the security risk level, generate a remediation plan that conforms to security best practices according to the vulnerability type and program context, and output the final vulnerability report.
[0155] It should be understood that the security risk level is quantified with reference to the evaluation dimensions of the Common Vulnerability Scoring System (CVSS), comprehensively considering the vulnerability's attack vector (network reachability), exploitation conditions (authentication requirements), permission requirements, and potential consequences (impact on confidentiality, integrity, and availability). The remediation plan provides targeted recommendations including code examples and security model suggestions based on the vulnerability type, and verifies the effectiveness and compatibility of the remediation plan.
[0156] Example 9
[0157] Based on Example 8, the step of representing the preconditions, triggering operations, and consequences of each potential vulnerability as formal vulnerability hypotheses using sequential logic or predicate logic according to the comprehensive vulnerability assessment report includes:
[0158] S6.2.1: For each potential vulnerability in the comprehensive vulnerability assessment report, extract its vulnerability type identifier, trigger condition description, and impact scope description.
[0159] In this embodiment of the invention, the vulnerability type identifier is derived from the detection conclusions of each expert model in the comprehensive vulnerability assessment report; the triggering condition description includes the code state and input conditions required for the vulnerability to occur; and the impact scope description includes the program resources and system state affected after the vulnerability is triggered. These three types of information together constitute the complete semantic foundation for the subsequent formal representation.
[0160] S6.2.2: Associate the vulnerability features corresponding to the vulnerability type identifier with the trigger condition description through a timing logic operator, and constrain the impact scope description through a predicate logic expression to obtain a formal security attribute specification.
[0161] Specifically, the temporal logic operators (such as "always (G)", "finally (F)", and "until (U)") are used to describe the evolution of the program state over time during the vulnerability triggering process; the predicate logic expressions are used to precisely constrain the variable relationships and memory boundary conditions within the scope of the vulnerability's impact. The formal security attribute specification formed by the combination of the two is mathematically verifiable.
[0162] S6.2.3: Generate the formal vulnerability hypothesis based on the formal security attribute specification.
[0163] The formal vulnerability assumption takes the formal security attribute specification as input to determine the preconditions (initial state of the program entering the vulnerability triggering path), triggering operation (specific program action to activate the vulnerability), and consequences (changes in program state after the vulnerability is triggered), forming a structured vulnerability description that can directly drive the construction of the reverse execution path.
[0164] Example 10
[0165] Based on Example 1, after outputting the final vulnerability report, the following is also included:
[0166] Step A: Based on the final vulnerability report, extract the vulnerability type identifier, triggering conditions, dependencies, and remediation solutions of the vulnerabilities that have been verified as real vulnerabilities by vulnerability triggering test cases, and construct a structured vulnerability pattern.
[0167] In this embodiment of the invention, the structured vulnerability pattern refers to a knowledge representation that uses a standardized data structure to describe verified real vulnerabilities in a standardized manner. It includes elements such as vulnerability type identifiers, code feature representations of triggering conditions, vulnerability dependency graphs, and corresponding remediation schemes. The structured vulnerability pattern can be directly processed by retrieval and matching algorithms to identify potential vulnerabilities with similar feature patterns in subsequent code vulnerability detection.
[0168] In this embodiment of the invention, the structured vulnerability pattern only includes detection results of vulnerabilities that have been verified as real vulnerabilities through the actual execution of the vulnerability-triggered test cases, excluding false positives and ensuring the accuracy of the updated knowledge base content. The structured vulnerability pattern stores vulnerability type identifiers, triggering conditions, dependencies, and remediation schemes using a standardized data structure, facilitating subsequent retrieval and matching.
[0169] Step B: Write the structured vulnerability pattern into the vulnerability pattern knowledge base, update the code features corresponding to the triggering conditions to the detection rules in the security rule base, and update the feature vectors corresponding to the dependencies to the security sensitive patterns, so that the updated vulnerability pattern knowledge base and the security rule base can be used for the identification of security sensitive points and the determination of vulnerability type probability distribution in the subsequent code vulnerability detection process.
[0170] Furthermore, the code features corresponding to the triggering conditions are transformed into detection rules that can be directly used for code location matching, expanding the rule coverage of the security rule base; the feature vectors corresponding to the dependencies are added to the model parameters of the security sensitive patterns, enabling the security sensitive point identification model to identify newly discovered vulnerability dependency patterns. Through the above knowledge feedback mechanism, this invention achieves continuous self-optimization of the detection system, allowing the vulnerability pattern knowledge base and the security rule base to be continuously enriched with the accumulation of detection tasks, forming a closed-loop vulnerability detection and knowledge update system.
Claims
1. A method for intelligent code vulnerability detection based on multi-dimensional fusion, characterized in that, include: For the input raw code file, lexical analysis and syntax analysis are performed through a language-specific parser, and abstract syntax trees, control flow graphs, data flow graphs and program dependency graphs are constructed respectively to obtain a multi-level code representation; The multi-level code representation is input into a heterogeneous graph neural network. The hierarchical graph attention mechanism performs message passing and information aggregation on various nodes and dependencies. The feature is fused by combining code semantic information to output a code structure vector. Based on the multi-level code representation and the code structure vector, security-sensitive points in the original code file are identified, and forward slicing and backward slicing are performed along the data flow direction respectively. After slice optimization and cross-process integration, the output is a set of security concern regions. For the set of security concern regions, an original feature vector containing syntax patterns, data flow features, and control flow features is constructed. After performing noise reduction processing on the original feature vector using a diffusion probability model, an optimized code security feature vector is obtained. The optimized code security feature vector is input into the variational autoencoder and mapped to the latent space to establish a joint posterior distribution model of code features and vulnerability types. The key triggering conditions of each vulnerability type are extracted, and the probability distribution of vulnerability types is determined. Based on the optimized code security feature vector and the vulnerability type probability distribution, a consistency constraint is imposed on each expert model through a linear type system. After the vulnerability assumption is formally represented, a reverse execution path is constructed. The path constraint conditions are solved by the SMT / SAT solver to generate vulnerability trigger test cases. Combined with the hazard assessment and remediation plan, the final vulnerability report is output.
2. The method according to claim 1, characterized in that, The input raw code file undergoes lexical and syntactic analysis using a language-specific parser, and abstract syntax trees, control flow graphs, data flow graphs, and program dependency graphs are constructed respectively to obtain a multi-level code representation, including: Based on the lexical and syntactic analysis results of the original code file, unique identifiers are assigned to function definitions, variable declarations, conditional statements, and loop structures, and source code location information is recorded to construct the abstract syntax tree. Extract the basic blocks and inter-block execution paths of the abstract syntax tree, mark the control transfer points of conditional statements, loop structures and exception handling, and construct the control flow graph; Analyze the variable definition and usage relationships in the abstract syntax tree and / or the control flow graph, perform alias analysis for pointer type variables and reference type variables, and construct the data flow graph; Based on the control flow graph and the data flow graph, control dependency edges and data dependency edges are integrated to construct the program dependency graph; For each of the original code files, the abstract syntax tree, control flow graph, data flow graph, and program dependency graph are used to identify the function call relationships, class inheritance relationships, and interface implementation relationships between the original code files in order to construct a global dependency graph and obtain the multi-level code representation.
3. The method according to claim 1, characterized in that, The process involves inputting the multi-level code representation into a heterogeneous graph neural network, performing message passing and information aggregation on various nodes and dependencies through a hierarchical graph attention mechanism, and combining this with code semantic information for feature fusion to output a code structure vector, including: Extract the type, name, and scope attributes of each node, as well as the dependency type and relationship features of the edges, from the multi-level code representation to construct an initial node feature matrix and edge feature matrix; For the function nodes, variable nodes, and control structure nodes of the initial node feature matrix and the edge feature matrix, corresponding encoding functions are designed respectively. For the call relationship edge, the containment relationship edge, and the inheritance relationship edge, corresponding aggregation functions are designed respectively to construct a heterogeneous graph. The nodes and paths within the scope of the security sensitive point pre-screening are set as the first weight, and the remaining nodes and paths are set as the second weight, wherein the first weight is greater than the second weight. A gating mechanism is introduced to selectively filter the neighbor information of each node. Hierarchical graph attention message passing is performed on the heterogeneous graph, and node-level embedding vectors and graph-level embedding vectors are output. The graph-level embedding vector is weighted and fused with the variable naming features, function name features, and API usage pattern features of the original code file through a multi-head attention mechanism to output the code structure vector.
4. The method according to claim 3, characterized in that, The process involves assigning a first weight to nodes and paths within the pre-screening scope of the security-sensitive points, and a second weight to the remaining nodes and paths, wherein the first weight is greater than the second weight. A gating mechanism is introduced to selectively filter the neighbor information of each node. Hierarchical graph attention message passing is performed on the heterogeneous graph, outputting node-level embedding vectors and graph-level embedding vectors, including: Each node in the initial node feature matrix is matched with a predefined security-sensitive operation type. The attention weight of the path directly associated with the successfully matched node is set as the first weight, and the attention weight of the remaining nodes and paths is set as the second weight, wherein the first weight is greater than the second weight, thus obtaining the attention weight distribution. Based on the attention weight distribution, the information reception gating coefficient of each node's neighboring nodes is calculated, and the feature vectors passed in by each neighboring node are weighted and filtered using the information reception gating coefficient to suppress information interference from irrelevant neighboring nodes. The gated neighbor information and the current node features are subjected to multiple rounds of message passing and aggregation to output the node-level embedding vector and the graph-level embedding vector.
5. The method according to claim 1, characterized in that, The process involves identifying security-sensitive points in the original code file, performing forward and backward slicing along the data flow direction, and outputting a set of security-concerned regions after slice optimization and cross-process integration. This set includes: Based on the multi-level code representation and the code structure vector, each code position in the original code file is matched with a predefined security rule base. At the same time, each code position is scored by learning a security sensitivity pattern. The rule matching result and the scoring result are fused together, and the code positions containing input processing operations, permission checking operations and resource operations are marked as security sensitive points. Starting from each of the aforementioned security-sensitive points, trace all program points affected by their calculation results along the forward direction of the data flow to obtain the forward influence set; simultaneously, starting from each of the aforementioned security-sensitive points, trace all program points affected by their values along the reverse direction of the data flow to obtain the backward dependency set. Based on the forward influence set and the backward dependency set, a graph simplification algorithm is applied to remove nodes and edges irrelevant to security analysis, connect data flows and control flows across functions, classes, and modules, process recursive calls and polymorphic methods with a context-sensitive strategy, assign risk weights to each security concern region and record its associated sensitive operation types, input sources, and constraints, and output the set of security concern regions.
6. The method according to claim 1, characterized in that, The process of obtaining the optimized code security feature vector by performing denoising processing on the original feature vector using a diffusion probability model includes: For each feature dimension of the original feature vector, the contribution of each feature dimension to vulnerability detection is quantified by calculating information entropy and information gain, thus obtaining the feature noise distribution. Based on the feature noise distribution, positive and negative sample pairs are constructed through a contrastive learning strategy, pseudo-labels are generated through a self-supervised learning strategy, and a diffusion probability model is trained using the positive and negative sample pairs and the pseudo-labels, so that the diffusion probability model learns the representation of the original feature vector and the noise distribution law, thus obtaining the trained diffusion probability model. Under the federated learning framework, each participant locally uses the trained diffusion probability model to perform denoising processing on the local original feature vector, shares the model gradient with the central node, the central node aggregates the model gradient, updates the global diffusion probability model, and distributes it to each participant. After feature selection and dimensionality reduction, the optimized code safety feature vector is obtained.
7. The method according to claim 1, characterized in that, The process involves inputting the optimized code security feature vector into a variational autoencoder, mapping it to a latent space to establish a joint posterior distribution model of code features and vulnerability types, extracting key triggering conditions for each vulnerability type, and determining the probability distribution of vulnerability types, including: Based on a pre-built vulnerability pattern knowledge base, a Bayesian probabilistic graphical model is constructed, wherein the variable nodes of the Bayesian probabilistic graphical model represent code features and vulnerability types, and the edges of the Bayesian probabilistic graphical model represent conditional probability relationships. The optimized code security feature vector is input into the encoder of the variational autoencoder and mapped to the latent space to obtain the latent distribution parameters; Based on the potential distribution parameters and the conditional dependency structure of the Bayesian probabilistic graphical model, a joint posterior distribution model of code features and vulnerability types is established. Construct adversarial samples that are known vulnerability samples in the training set and whose distance in the feature space exceeds a preset threshold, but are determined to be non-vulnerable by the joint posterior distribution model. Add the adversarial samples to the training set to perform adversarial training on the joint posterior distribution model to obtain an updated joint posterior distribution model. The optimized code security feature vector, the code structure vector, and the code semantic features are weighted and fused through a multi-head attention mechanism, and then input into the updated joint posterior distribution model to calculate the confidence level of each vulnerability type, extract the key triggering conditions and dependencies of each vulnerability type, and determine the probability distribution of the vulnerability type.
8. The method according to claim 1, characterized in that, The process involves applying consistency constraints to each expert model using a linear type system, formalizing vulnerability assumptions, constructing a reverse execution path, solving the path constraints using an SMT / SAT solver to generate vulnerability trigger test cases, and combining these with hazard assessment and remediation plans to generate a final vulnerability report, including: Based on the optimized code security feature vector and the vulnerability type probability distribution, corresponding expert models are selected from the expert model libraries constructed for memory vulnerabilities, access control vulnerabilities and encryption vulnerabilities respectively. Consistency constraints are applied to the input type, calculation process and output type of the selected expert models through the linear type system. The weights are dynamically adjusted based on the reliability and applicability of each expert model. The static analysis results, symbolic execution results and dynamic test results are integrated to obtain a comprehensive vulnerability assessment report. Based on the comprehensive vulnerability assessment report, the preconditions, triggering operations and consequences of each potential vulnerability are represented as formal vulnerability assumptions using sequential logic or predicate logic. Based on the formal vulnerability assumptions, the possible execution sequences and input conditions are deduced in reverse from the assumed vulnerability points, and a vulnerability triggering path diagram containing all necessary program states and state transitions is constructed. Based on the vulnerability triggering path diagram, the path constraints are extracted and transformed into logical formulas acceptable to the SMT / SAT solver. The SMT / SAT solver then solves for the specific input values that satisfy the logical formulas to generate vulnerability triggering test cases. Based on the actual execution results of the vulnerability-triggered test cases, the attack vector, exploitation conditions, permission requirements, and potential consequences of the vulnerability are considered to assess the security risk level. Based on the vulnerability type and program context, a remediation plan that conforms to security best practices is generated, and the final vulnerability report is output.
9. The method according to claim 8, characterized in that, Based on the comprehensive vulnerability assessment report, the preconditions, triggering operations, and consequences of each potential vulnerability are represented as formal vulnerability hypotheses using sequential logic or predicate logic, including: For each potential vulnerability in the comprehensive vulnerability assessment report, extract its vulnerability type identifier, trigger condition description, and impact scope description; The vulnerability features corresponding to the vulnerability type identifier are associated with the triggering condition description through a time-series logic operator, and the impact scope description is constrained through a predicate logic expression to obtain a formal security attribute specification. Based on the formal security attribute specification, the formal vulnerability hypothesis is generated.
10. The method according to claim 1, characterized in that, Following the output of the final vulnerability report, the following is also included: Based on the final vulnerability report, extract the vulnerability type identifier, triggering conditions, dependencies, and remediation solutions of the vulnerabilities that have been verified as real vulnerabilities by vulnerability triggering test cases, and construct a structured vulnerability pattern. The structured vulnerability pattern is written into the vulnerability pattern knowledge base, and the code features corresponding to the triggering conditions are updated to the detection rules in the security rule base. The feature vectors corresponding to the dependencies are updated to the security sensitive patterns, so that the updated vulnerability pattern knowledge base and the security rule base can be used for the identification of security sensitive points and the determination of vulnerability type probability distribution in the subsequent code vulnerability detection process.