A coarse and fine granularity collaborative code vulnerability locating method and system

By using layered mask pre-training and a coarse-fine granular collaborative architecture, combined with dual-channel gating fusion and multi-task loss, the problem of high resource overhead and high false positive rate in code vulnerability localization in existing technologies is solved. This achieves high-precision, low-overhead line-level vulnerability localization and reduces the cost of manual investigation.

CN122241724APending Publication Date: 2026-06-19QILU UNIVERSITY OF TECHNOLOGY (SHANDONG ACADEMY OF SCIENCES) +1

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
QILU UNIVERSITY OF TECHNOLOGY (SHANDONG ACADEMY OF SCIENCES)
Filing Date
2026-05-21
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing technologies struggle to accurately locate fine-grained code vulnerabilities in software security audits, resulting in a heavy workload for manual investigation, a high false alarm rate, and huge resource consumption. Furthermore, the lack of a coarse-grained and fine-grained collaborative mechanism fails to effectively reduce the burden of manual investigation.

Method used

We employ a method that combines layered mask pre-training, coarse-fine granular collaborative architecture, dual-channel gating fusion, and multi-task joint loss. By pre-training the encoder using a vulnerability-aware layered mask strategy and combining coarse-fine and fine-grained models, we can achieve end-to-end line-level vulnerability localization, reducing resource overhead and improving localization accuracy.

Benefits of technology

It achieves high-precision, low-overhead line-level vulnerability location, significantly reducing false positive rates and manual investigation costs, and improving security audit efficiency.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122241724A_ABST
    Figure CN122241724A_ABST
Patent Text Reader

Abstract

This invention discloses a coarse- and fine-grained collaborative code vulnerability localization method and system, belonging to the field of software security testing and static source code analysis technology. To address the problems of high resource overhead in graph construction, lack of prior vulnerability knowledge during pre-training, lack of inter-line logical connections and global guidance, and poor transition between coarse and fine granularity in existing vulnerability localization technologies, this invention first employs a layered masking strategy to pre-train the encoder, obtaining an initial encoder injected with prior vulnerability knowledge; then, a coarse-grained screening model is constructed and fine-tuned using function-level binary classification; next, a fine-grained localization model incorporating a dual-path adaptive gating fusion network and a multi-instance learning mechanism is constructed and fine-tuned; finally, through two-stage collaborative detection combined with syntax filtering rules, the vulnerability code line localization sequence is output. This invention abandons program dependency graph construction, significantly reducing resource overhead, improving the accuracy and efficiency of line-level vulnerability localization, and alleviating the burden of manual auditing.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of software security testing and static source code analysis technology, and in particular to a coarse-grained and fine-grained collaborative method and system for locating code vulnerabilities. Background Technology

[0002] The statements in this section are merely background information related to the present invention and do not necessarily constitute prior art.

[0003] With the rapid expansion of software scale and the widespread use of open-source components, the number and severity of software vulnerabilities are constantly increasing, with source code vulnerabilities becoming a key target for attacks. Traditional code vulnerability detection based on manually defined rules or pattern matching is inefficient and has a high false positive rate. Therefore, using deep learning technology for automated detection and localization of source code vulnerabilities has become an important research direction for reducing the burden on security auditors and improving software security. However, deep learning-based source code vulnerability detection mostly remains at the coarse-grained function or file level. This coarse-grained detection can only determine whether a security vulnerability exists in a code segment, but cannot pinpoint the exact location of the vulnerability. In actual industrial-level security audits, due to the lack of fine-grained line-level code location guidance, auditors still need to spend a lot of time manually checking lengthy functions, resulting in extremely limited improvement in actual audit efficiency. Therefore, there is an urgent need for a fine-grained vulnerability localization technology that can pinpoint the vulnerability to the line of code.

[0004] Existing deep learning-based vulnerability detection technologies are mainly divided into two categories: one is based on program analysis, such as converting source code into an abstract syntax tree or program dependency graph, and then using graph neural networks for feature extraction and vulnerability localization; the other is based on sequence deep learning, such as directly using pre-trained language models such as Transformer to capture the semantic features of code statements for classification.

[0005] However, existing technologies still struggle to effectively reduce the burden of manual investigation in real-world security audit scenarios: First, most existing fine-grained vulnerability localization techniques rely on constructing complex graph structures such as program dependency graphs. This graph construction process requires parsing all code dependencies, resulting in significant resource overhead and difficulty in scaling to large-scale codebases. Second, vulnerability analysis methods based on pre-trained language models generally employ standard random masking strategies during the pre-training phase. This strategy fails to consider the sparsity and specific patterns of vulnerability distribution in the code data, leading to a lack of targeted learning of prior vulnerability knowledge. Third, most existing fine-grained localization methods process each line of code independently, severely lacking logical connections between lines and guidance from global semantics, resulting in fragmented localization results and a high false positive rate. Furthermore, current methods mostly lack an effective transition from coarse-grained to fine-grained approaches, either performing only function-level classification or directly performing global line-level classification, lacking a two-stage collaborative mechanism.

[0006] Meanwhile, fine-grained vulnerability data often suffers from missing line-level labels, and there is an extreme imbalance between positive and negative samples in the number of secure and vulnerable lines within a function. Traditional classification loss functions are prone to model degradation and a large number of false positives. Finally, when dealing with long code sequences, existing sequence models often rely on global encoding representations, and critical high-risk operations are easily diluted by a large amount of background code features, leading to missed detections of locally sensitive vulnerabilities. The reason for these problems is that vulnerable lines of code account for a very small percentage of a function, and vulnerability patterns are often hidden in complex control flow and data flow dependencies. Existing technologies struggle to capture both local context and global semantics without introducing significant overhead. Summary of the Invention

[0007] To address the shortcomings of existing technologies, this invention proposes a coarse-fine granular collaborative code vulnerability localization method and system. Through mechanisms such as vulnerability-aware layered mask pre-training, coarse-fine granular collaborative architecture, dual-path gating fusion, and multi-task joint loss, it achieves high-precision, low-overhead end-to-end line-level vulnerability localization.

[0008] On the one hand, a coarse- and fine-grained collaborative code vulnerability localization method is provided, including: Historical code data containing line-level vulnerability labels is obtained, and the encoder model is pre-trained using a layered masking strategy to obtain the initial encoder; Construct a coarse-grained vulnerability screening model: Load the parameters of the initial encoder and fine-tune the training using data with function-level vulnerability labels; Construct a fine-grained vulnerability localization model: Inherit the encoder parameters of the coarse-grained vulnerability screening model and perform fine-tuning training using mixed training data containing row-level labels and function-level labels; the fine-grained vulnerability localization model includes a dual-path adaptive gating fusion network and a multi-instance learning weak supervision mechanism; The source code to be detected is input into the coarse-grained vulnerability screening model. If it is determined to be a candidate vulnerability function, the source code is input into the fine-grained vulnerability localization model to obtain the initial vulnerability score for each line of code. The initial vulnerability scores are penalized and reordered based on preset constraint rules, and the vulnerability code line localization sequence is output.

[0009] Furthermore, the layered masking strategy includes: for samples containing real vulnerability line annotations, mapping the vulnerability lines to corresponding words and performing masking, and using a low-frequency random mask for the remaining words; for samples that do not contain vulnerability line annotations but contain vulnerability type annotations, based on a predefined mapping relationship between vulnerability types and sensitive keywords, performing masking on words that overlap with sensitive keywords, and using a low-frequency random mask for the remaining words; for samples that do not contain vulnerability line annotations and do not contain vulnerability type annotations, performing a random mask for all words.

[0010] Furthermore, when constructing a coarse-grained vulnerability screening model, the method also includes: constructing function-level global semantic features using multi-path feature pooling. Specifically, multi-path feature pooling includes: extracting the global special character features at the beginning of the sequence as the first feature; performing mean pooling on the effective code sequence to obtain the second feature; performing max pooling on the effective code sequence to obtain the third feature; and concatenating and fusing the first, second, and third features to obtain enhanced function-level global semantic features.

[0011] Furthermore, the fine-tuning training of the coarse-grained vulnerability screening model also includes: Supplementary views are extracted from the source code based on lexical heuristics, and these supplementary views include risk views and protection views. An adaptive routing network is constructed based on the enhanced function-level global semantic features. The probability distribution of view strategies is calculated. The view strategies include not using supplementary views, using risky views, and using protected views. A joint quality evaluation coefficient is constructed based on the ratio of the effective term length of the supplementary views to the length of the main view composed of the original source code sequence. The optimal view strategy is selected based on the probability distribution and the quality evaluation coefficient. During the residual execution phase, only the feature branch corresponding to the strategy is activated, and after encoding and pooling, it is concatenated with the enhanced global semantic features and input into the multilayer perceptron. An amplitude scaling is applied to the original increment output by the multilayer perceptron, and the residual is added to the base prediction score of the main view to obtain the final function-level prediction score; wherein, the base prediction score is obtained by inputting the function-level global semantic features of the main view into the base classification head; The final function-level prediction score is converted into vulnerability prediction probability through an activation function and combined with the function-level real label to calculate the classification loss; global special character features are extracted to calculate the supervised contrast loss, and the joint loss is constructed by weighted summation with the classification loss. A fast gradient adversarial training mechanism is introduced during backpropagation to calculate the adversarial loss. Backpropagation is performed based on the joint loss and the adversarial loss respectively. The network weights are updated by gradient accumulation. After training converges, a coarse-grained vulnerability screening model is obtained.

[0012] Furthermore, the construction of a fine-grained vulnerability localization model also includes: Without constructing a program dependency graph, the source code sequence is input into an encoder that inherits from a coarse-grained vulnerability screening model for feature extraction to obtain a word-level hidden layer state sequence. Based on the physical location mapping from lexical units to code lines, mean pooling and max pooling are performed on all lexical features belonging to the same code line and then concatenated to generate independent representation vectors for each code line. The independent representation vectors of each line of code are input into the line-level feature encoder, and the contextual logical dependencies between lines of code are established through the line-level self-attention mechanism.

[0013] Furthermore, the dual-path adaptive gating fusion network and the multi-instance learning weak supervision mechanism include: Local evidence channel: Extract local line features within a preset window range of each line of code for attention interaction; A multi-slot global memory channel extracts function-level global special character features, global mean pooling features, global max pooling features, and high-risk code line features extracted based on a pre-scoring mechanism, forming a multi-slot global memory matrix for attention interaction; An adaptive gating mechanism is used to calculate the fusion weights of local and global evidence, and to perform residual fusion of local features, global features and code line representations. The resulting sequence is then output as a predicted score for each code line through a mapping network. The multi-instance learning weak supervision mechanism treats the current function as a package and each line of code as an instance. It uses an attention mechanism to perform weighted aggregation of the fused line features and calculates the function-level classification loss based on the function-level feature representation, so as to use function-level labels to perform weak supervision training on the fine-grained vulnerability localization model.

[0014] Furthermore, in the fine-tuning training of the fine-grained vulnerability localization model, based on the predicted scoring sequence and the actual row-level vulnerability labels, the row-level multi-task localization loss function is used to calculate the network error and perform backpropagation. The row-level multi-task localization loss function includes: Dice loss for directly optimizing the intersection-union ratio of positive and negative samples to overcome extreme area imbalance; contrast ranking loss for ensuring that the score of real vulnerability rows is higher than that of non-vulnerability rows and introducing a difficult negative sample mining mechanism; and list-level ranking loss for minimizing KL divergence optimization by treating all lines of code in the current function as a probability distribution. The overall network weights are updated by combining the function-level classification loss and the row-level multi-task localization loss, and the fine-grained vulnerability localization model is obtained after training convergence.

[0015] Furthermore, the source code to be tested is input into the coarse-grained vulnerability screening model. If it is determined to be a candidate vulnerable function, the source code is input into the fine-grained vulnerability localization model to obtain the initial vulnerability score for each line of code, specifically: The source code to be detected is input into a coarse-grained vulnerability screening model to obtain the probability of function-level vulnerabilities. If the probability is lower than a preset classification threshold, it is determined to be without vulnerabilities. If the probability is higher than or equal to the preset classification threshold, it is determined to be a candidate vulnerable function. The source code is then input into a fine-grained vulnerability localization model to output the initial vulnerability score for each line of code.

[0016] On the other hand, a coarse- and fine-grained collaborative code vulnerability localization system is provided, including: The pre-training module is configured to: acquire historical code data containing line-level vulnerability labels, pre-train the encoder model using a layered masking strategy, and obtain the initial encoder. The coarse-grained screening module is configured to: build a coarse-grained vulnerability screening model: load the parameters of the initial encoder and fine-tune the training using data with function-level vulnerability labels; The fine-grained localization module is configured to: construct a fine-grained vulnerability localization model: inherit the encoder parameters of the coarse-grained vulnerability screening model, and perform fine-tuning training using mixed training data containing row-level labels and function-level labels; the fine-grained vulnerability localization model includes a dual-path adaptive gating fusion network and a multi-instance learning weak supervision mechanism; The collaborative detection module is configured to: input the source code to be detected into a coarse-grained vulnerability screening model; if it is determined to be a candidate vulnerability function, input the source code into a fine-grained vulnerability localization model to obtain an initial vulnerability score for each line of code; and penalize and reorder the initial vulnerability scores based on preset constraint rules to output a sequence of vulnerability code line locations.

[0017] In another aspect, a computer-readable storage medium is also provided, on which a computer program is stored, which, when executed by a processor, performs the method described in the first aspect.

[0018] The above technical solution has the following advantages or beneficial effects: (1) In terms of resource overhead, the present invention does not rely on program dependency graph construction in the fine-grained vulnerability localization process. Instead, it combines code sequence representation and code line-level aggregation to achieve line-level feature modeling, thereby reducing the memory occupation and computational overhead caused by graph construction.

[0019] (2) In the pre-training stage, the present invention adopts a vulnerability-aware layered masking strategy. Based on the vulnerability row annotation and vulnerability type information in the sample, differential masking probabilities are applied to words with different semantic importance, so that the encoder can actively learn the vulnerability-related syntax and semantic patterns during the pre-training process.

[0020] (3) In terms of inter-line dependency modeling, this invention realizes explicit modeling of inter-line logical associations and dynamic guidance of global semantics through a dual-path adaptive gating fusion network with line-level self-attention mechanism, local window perception and multi-slot global memory interaction.

[0021] (4) In the coarse-grained screening stage, the present invention corrects the residual score of the function-level prediction results by using a supplementary view mechanism based on heuristic rules and adaptive gating routes, so that the model can introduce local high-risk information and protection information while maintaining global semantic dominance, thereby improving the accuracy and robustness of coarse-grained screening.

[0022] (5) Regarding coarse-grained and fine-grained collaboration, this invention constructs a two-stage architecture: a coarse-grained screening model quickly filters safe functions, while a fine-grained localization model performs detailed line-level analysis only on candidate functions, thereby achieving collaborative processing from function-level screening to line-level localization and effectively suppressing the sensitivity of single-stage direct line-level classification to false features. Simultaneously, this invention introduces a multi-instance learning mechanism in the fine-grained training stage, utilizing weakly supervised function-level labels to assist in the training of the fine-grained model, enabling the fine-grained model to learn effective information from function-level labeled samples, thereby expanding the training data and alleviating the limitations caused by insufficient line-level labeling.

[0023] (6) In terms of multi-task joint optimization, this invention adopts row-level multi-task localization loss that combines Dice loss, contrast ranking loss and list-level ranking loss, while overcoming problems such as extreme imbalance of positive and negative samples, interference from difficult negative samples and global ranking consistency. Attached Figure Description

[0024] The accompanying drawings, which form part of this invention, are used to provide a further understanding of the invention. The illustrative embodiments of the invention and their descriptions are used to explain the invention and do not constitute an improper limitation of the invention.

[0025] Figure 1 This is a flowchart of the method according to Embodiment 1 of the present invention; Figure 2 This is a schematic diagram of the layered mask pre-training model architecture of Embodiment 1 of the present invention; Figure 3 This is a schematic diagram of the coarse-grained vulnerability screening model structure according to Embodiment 1 of the present invention; Figure 4 This is a schematic diagram of the fine-grained vulnerability location model structure according to Embodiment 1 of the present invention. Detailed Implementation

[0026] To make the objectives, technical solutions, and advantages of the present invention clearer, the embodiments of the present invention will be described in further detail below with reference to the accompanying drawings. Those skilled in the art should understand that the specific embodiments described herein are for illustrative purposes only and are not intended to limit the scope of the invention.

[0027] It should be noted that the following detailed description is illustrative and intended to provide further explanation of the invention. Unless otherwise specified, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention pertains.

[0028] Example 1 This embodiment provides a coarse- and fine-grained collaborative method for locating code vulnerabilities. Figure 1 The following is a flowchart of a method according to Embodiment 1 of the present invention, which includes the following steps: S101: Obtain historical code data containing line-level vulnerability labels, and pre-train the encoder using a layered masking strategy to obtain the initial encoder; S102: Construct a coarse-grained vulnerability screening model: Load the parameters of the initial encoder and fine-tune the training using data with function-level vulnerability labels; S103: Constructing a fine-grained vulnerability localization model: Inheriting the encoder parameters of the coarse-grained vulnerability screening model, fine-grained training is performed using mixed training data containing row-level labels and function-level labels; the fine-grained vulnerability localization model includes a dual-path adaptive gating fusion network and a multi-instance learning weak supervision mechanism; S104: Input the source code to be detected into the coarse-grained vulnerability screening model. If it is determined to be a candidate vulnerability function, input the source code into the fine-grained vulnerability localization model to obtain the initial vulnerability score for each line of code. Based on the preset constraint rules, the initial vulnerability scores are penalized and reordered, and the vulnerability code line localization sequence is output.

[0029] In step S101, this embodiment constructs a layered mask pre-training model for vulnerability awareness, such as... Figure 2 As shown. By collecting historical source code data containing source code, vulnerability line tags, and vulnerability type information, the code data comes from multiple vulnerability detection datasets such as Reveal and Sard. Based on a pre-defined vulnerability awareness layered masking strategy, the encoder is pre-trained with the historical source code data as training corpus to obtain an initial encoder model injected with prior vulnerability knowledge. The specific steps include the following: S1011: Obtain a historical source code dataset containing vulnerability line annotations and vulnerability type (CWE) annotations. Use a lexicalization method to parse the code sequence, obtaining the lexical sequence and the positional correspondence between lexical elements and code lines. CWE stands for "Common Weakness Enumeration," a dictionary that standardizes the classification of software and hardware security vulnerability types. Each CWE entry corresponds to a specific vulnerability type (e.g., CWE-89 for SQL injection, CWE-121 for stack buffer overflow) and is assigned a unique number. Understandably, in this invention, some historical source code data is annotated with CWE types to guide the extraction of sensitive keywords in layered masking strategies.

[0030] S1012: Construct a layered masking strategy, since not all samples have vulnerability row annotations and vulnerability classes. Based on the annotation information, this invention categorizes all samples into three types: gold, silver, and bronze, and uses different masking methods. Gold samples have vulnerability line annotations, silver samples have vulnerability type annotations but no vulnerability line annotations, and bronze samples have neither vulnerability line nor vulnerability type annotations. For gold samples, the vulnerability lines are mapped to corresponding words based on the actual annotated vulnerability line information, and these words are masked. The remaining words are masked using a lower-frequency random mask. For silver samples, sensitive keywords related to the corresponding CWE vulnerability type are extracted based on a pre-established mapping relationship between CWE vulnerability types and keywords. Words overlapping with these sensitive keywords are masked, and the remaining words are masked using a lower-frequency random mask. Sensitive keywords include keywords in function calls, dangerous operation identifiers, boundary check conditions, or exception handling statements related to the corresponding CWE vulnerability type. For bronze samples, all words are masked using a random mask.

[0031] Preferably, for gold-type samples, the masking probability of the word corresponding to the vulnerability line is 0.20, and the masking probability of the other words is 0.02; for silver-type samples, the masking probability of the word overlapping with the sensitive keyword is 0.20, and the masking probability of the other words is 0.02; for bronze-type samples, the masking probability of all words is 0.20.

[0032] S1013: The data processed by the layered masking strategy described above is input into the encoder model for self-supervised reconstruction training. Specifically, the word sequence, after being mapped through the embedding layer, is combined with rotational position encoding to form an input representation, which is then fed into the encoder network for contextual feature extraction to predict masked words and optimize the model's underlying representation. After training convergence, an initial encoder model with injected vulnerability prior knowledge is obtained.

[0033] By using the aforementioned layered masking strategy for MLM training, the model aggregates the grammatical and semantic patterns of vulnerabilities in the low-level features, thereby generating initial encoder parameters with vulnerability feature awareness capabilities, providing a domain-specific model initialization foundation for the coarse-grained feature extraction in the subsequent step S102.

[0034] In step S102, the initial encoder model obtained in step S101 is loaded, and coarse-grained feature extraction and vulnerability binary classification fine-tuning training are performed using training data with function-level vulnerability labels; a supplementary view mechanism based on heuristic rules and adaptive gating routing is constructed to correct residual scores, resulting in a coarse-grained vulnerability screening model, such as... Figure 3 As shown, the specific steps include the following: S1021: Load the initial encoder parameters output from step S101. To preserve the global context semantics of long functions and avoid feature loss due to long code truncation, this embodiment uses the Transformer architecture, which supports long sequence context, and its underlying layer has built-in rotation position encoding and attention acceleration mechanisms. The original source code sequence with function-level labels is used as the main view input to the initial encoder model for feature encoding to obtain the hidden layer state sequence of the main view. The original source code comes from the BigVul dataset.

[0035] S1022: Hidden layer state sequence Perform multi-path feature pooling to construct function-level global semantic features. Specifically: extract global special character features from the beginning and end of the sequence. At the same time, for valid code sequences with special padding characters removed. Perform mean pooling respectively With max pooling The three features are then concatenated to obtain enhanced function-level global semantic features. The formula is as follows: , S1023: Construct an adaptive routing and quality gating mechanism to achieve a balance between global dependencies and local structures. First, construct two supplementary local context views using lexical heuristics: a risk view focusing on high-risk operations (such as malloc and pointer dereferencing) and a protection view focusing on conditions such as boundary checks, and obtain the word segmentation sequence of each supplementary view.

[0036] To achieve a balance between global dependencies and local structure, function-level global semantic features are used. For input, design an adaptive routing network, calculating without using supplementary views. Using only the risk view ) and using only the protected view ( Discrete probability distributions of the three strategies: , in and For routing network parameters.

[0037] Considering the potential quality fluctuations in the supplementary views, let and The number of effective tokens in the supplementary view and the main view are used to construct a joint quality evaluation coefficient based on the length of the supplementary view and the ratio of the lengths of the supplementary view and the main view, respectively. : , , in The minimum word threshold (preferably 12) is set. The maximum length percentage threshold is (preferably 0.4). The smoothing factor is set to 4. This quality score effectively masks excessively short, incomplete views and truncates excessively long, redundant views. The routing probability is then adjusted. With quality gate coefficient The product of these factors serves as a comprehensive evaluation metric. During the model training phase, a differentiable discrete approximate routing mechanism is employed to optimize single-path selection, enabling end-to-end learning of routing network parameters through task loss. During the inference and detection phase, a hard selection process is performed based on the comprehensive routing weights, dynamically selecting a unique optimal view strategy. : , During the residual execution phase, only the optimal strategy is activated. Corresponding local feature branches (if selected) The branch increment is then set to 0 to skip redundant feature decoding and reduce computational overhead. This branch is then fed into the encoder to obtain the hidden state, and supplementary view features are obtained through a multi-head attention mechanism. After pooling, it is combined with function-level global semantic features. The components are assembled and fed into a dual-layer sensor. The weights and biases of the last layer of the perceptron are forcibly initialized to zero. An amplitude scaling factor is applied to the raw increment of the two-layer perceptron output. The residuals are then added to the base score to obtain the final function-level predicted score. : , , in, To supplement the score increments generated by the view branches; This represents the two-layer perceptron corresponding to the optimal policy. This represents the function-level global semantic features corresponding to the main view. The base prediction score is obtained after inputting the base classification head.

[0038] Zero initialization and scaling factors limit the extent to which supplementary views can modify the final conclusion, maintaining the stability of the network's initial decisions and the global dominance of the main view.

[0039] Will Input the sigmoid activation function to obtain the vulnerability prediction probability of the current function. Combine this with the function-level ground truth label and use the class-balanced focus loss CBFocalLoss to calculate the classification loss. Among them, CBFocalLoss enhances the model's attention to minority and hard samples by introducing class balancing weights and a focus modulation factor. Simultaneously, it extracts... The input projection layer brings similar labeled samples closer together and pushes apart dissimilar samples in the feature space, and the supervised contrastive loss is calculated. .

[0040] Based on classification loss Losses compared with supervision Constructing coarse-grained joint loss: , in, As a weighting factor, it is preferably set to 1 in this embodiment.

[0041] S1024: During the backpropagation process of updating network parameters, a fast gradient adversarial training mechanism (FGM) is introduced to calculate the joint loss. Regarding embedding layer parameters gradient Based on this gradient, adversarial perturbations are injected into the embedding layer. To generate adversarial examples, the calculation formula is: , in The perturbation scalar is used. The perturbated adversarial sample is then re-input into the coarse-grained vulnerability screening model for forward computation, and the adversarial loss is calculated using the same joint loss function as the original sample. First, the joint loss is based on the original samples. Perform backpropagation, and then base it on adversarial loss. Perform backpropagation. The network weights are updated by accumulating the gradients from two backpropagations to improve the model's robustness and generalization ability in the coarse-grained vulnerability screening stage. After training converges, the coarse-grained vulnerability screening model is output.

[0042] In step S103: Inheriting the encoder parameters of the coarse-grained vulnerability screening model, vulnerability sample data containing precise row-level labels, weakly supervised sample data containing function-level labels, and negative sample data without vulnerabilities are constructed based on the BigVul dataset, and the data with different labeling granularities are integrated into mixed training data; a dual-path adaptive gating fusion network containing row-level self-attention mechanism, local window perception, and multi-slot global memory interaction is constructed, and a weakly supervised mechanism of multi-instance learning is introduced to extract function-level features; fine-tuning training is performed using a joint loss function containing function-level classification loss and row-level multi-task localization loss to obtain a fine-grained vulnerability localization model, the construction process of which is as follows: Figure 4 As shown, the specific process includes the following: S1031: Inherits the encoder parameters of the coarse-grained vulnerability screening model. Without explicitly constructing the program dependency graph, it inputs the source code sequence into the encoder for feature extraction, obtains the hidden layer state sequence at the word level, and synchronously updates the parameters during backpropagation. Simultaneously, it extracts the physical location mapping relationship from words to lines of code.

[0043] S1032: Abandoning the Program Dependency Graph (PDG) construction, this method directly performs mean pooling and mean pooling on all token features belonging to the same code line based on the physical location mapping relationship from tokens to code lines. The dual-pooling features are then concatenated to generate independent representation vectors for each code line. Specifically, for tokens belonging to the first... All lexical feature sequences of the line Perform two-way pooling to generate an independent representation vector for that line of code. The calculation formula is: , The initial sequence of code lines is formed after pooling. ,in The total number of rows in this function is the sequence input containing... The row-level feature encoder with a layered coding structure establishes contextual logical dependencies between lines of code through a row-level self-attention mechanism. In this embodiment, it is preferable to set the number of stacked coding layers. In each layer of the coding structure, a line-level multi-head self-attention mechanism is used to establish cross-line logical dependencies between lines of code. After the self-attention feature extraction and network stacking described above, each line of code fully absorbs the logical semantics of its context, ultimately outputting an updated sequence of row vector representations that incorporates cross-row dependencies. .

[0044] S1033: Constructing a dual-path evidence interaction and adaptive gating fusion mechanism. Traditional models often lack multi-dimensional information. This embodiment constructs a dual-path channel that operates in parallel with local and global data to extract multi-dimensional contextual features.

[0045] First, a local evidence channel is constructed, and local line features within the window of each line of code are extracted for attention interaction. For the first... The code is processed by extracting the features of adjacent rows within the preset window before and after it. In this embodiment, the span of the preset window is preferably 3 rows, and a local context window matrix is ​​constructed. Represented by the current line. For query, with As the key and value, respectively, they are transformed by linear transformation matrices. , Perform spatial mapping and cross-attention calculation to obtain local interaction features. : , Secondly, a multi-slot global memory channel is constructed. Function-level global special character features obtained from fine-grained model internal feature pooling are extracted. Global mean pooling feature Global max pooling features And selected in combination with a pre-scoring mechanism The highest-risk vulnerability cluster features The pre-scoring mechanism introduces a lightweight linear scoring layer based on the basic row features. The risk score for each row is initially calculated, and the top K rows of code with the highest scores are directly selected. In this embodiment, K is preferably 5. These rows are then concatenated along a specific dimension to form a multi-slot global memory matrix. Subsequently, the vector sequence is represented in all lines of code. As a query, with As keys and values, through a mapping matrix Perform spatial mapping, execute cross-attention operations, and extract global features. : , in, This represents the scaling dimension of the feature space. Through the aforementioned dual-channel approach, the model accurately quantifies the attention weight distribution of each line of code within the local context and global vulnerability patterns.

[0046] Then, an adaptive gating mechanism is introduced to dynamically control the amount of information injected into the target code line from local and global features. The extracted local features... Global features Compared with the original line of code Concatenation is performed along the feature dimension, using an activation function. Calculate the gate weight coefficient matrix for the linear network layer: , in This indicates a feature concatenation operation. and For learnable gated network parameters, and These are the fusion weights for local and global features, respectively.

[0047] Based on the gated weight coefficients, residual fusion with dynamic weights is performed to generate the final fused row feature representation. : , in This represents the Hadamard product. Mathematically, this mechanism ensures that the model can adaptively balance local variable dependencies with global vulnerability information, achieving feature alignment across granularities.

[0048] The fused row feature sequence The multilayer perceptron classification head is sequentially input, and after dimensionality reduction and mapping by a fully connected layer, the initial prediction score sequence of each line of code in the current function is output. ,in Indicates the first The line of code contains a relative risk score for vulnerabilities, which is used to characterize the relative order of the security flaws present in each line of code within the current function.

[0049] S1034: Introducing a function-level weak supervision mechanism based on multi-instance learning. Considering that real-world auditing scenarios often involve weak supervision with only function-level labels and lacking precise line-level labels, and that the training data contains some security negative samples without vulnerabilities, this embodiment treats the current function as a bag and each line of code as an instance. This allows for the use of function-level labels to achieve function-level weak supervision learning.

[0050] Specifically, through an attention network containing the Tanh activation function Calculate the initial feature score for each line of code and normalize it using the Softmax function to obtain the score for the first line. Instance weight of line code : , Using this instance weight distribution, a weighted summation and aggregation of all fused row features within the function is performed to generate an enhanced function-level feature representation. : , Will Input a linear classifier, output a function-level predicted logistic value. Then, the activation function Sigmoid is used to convert it into a function-level vulnerability prediction probability. Using this logical value and the actual function-level label. Calculate the function-level binary cross-entropy loss for multi-instance learning. , As a function-level classification loss in the fine-grained stage, the model can assign supervision signals to high-risk lines of code based on function-level labels during the backpropagation stage, thereby making full use of vulnerability samples and negative samples with function-level labels to participate in weakly supervised training.

[0051] S1035: Based on the predicted scoring sequence and the actual row-level vulnerability labels, a row-level multi-task localization loss function is used to calculate the network error and perform backpropagation. Specifically, the row-level multi-task localization loss function includes: a Dice loss to directly optimize the intersection-union ratio of positive and negative samples to overcome extreme area imbalance; a contrastive ranking loss to ensure that the scores of real vulnerability rows are higher than those of non-vulnerable rows and to introduce a difficult negative sample mining mechanism; and a list-level ranking loss to treat all lines of code within the current function as a probability distribution and minimize KL divergence optimization.

[0052] Based on the predicted scoring sequence of each line of code and the actual line-level vulnerability labels, a fine-grained total loss function is constructed to overcome the extreme imbalance in area localization across multiple tasks. Defined as: , in, The function-level classification loss is extracted for the multi-instance mechanism; For Dice's loss; Mining for difficult negative samples; The loss is a list-level sorting loss. A global relative score constraint is implemented. In this embodiment, the hyperparameters are balanced. The preferred setting is 1.

[0053] The overall network weights are updated by combining the above multiple losses, and a fine-grained vulnerability localization model is output after training convergence.

[0054] In step S104, a collaborative detection framework and syntax reordering mechanism are used to perform end-to-end localization detection on the target code. The specific process is as follows: First, the source code of the target to be detected is obtained and input into a finely tuned coarse-grained vulnerability screening model to obtain the predicted probability of function-level vulnerabilities. If this probability is lower than a preset classification threshold... (In this embodiment, 0.5 is preferred), then it is determined that there are no vulnerabilities, and the detection process is terminated; if it is greater than or equal to If it is, then it is considered as a candidate vulnerability function.

[0055] Next, the source code sequence of the candidate vulnerable function is input into the fine-grained vulnerability localization model after fine-tuning. The fine-grained vulnerability localization model re-extracts features and executes the interactive scoring mechanism described in steps S1032 to S1033, outputting the initial vulnerability scoring sequence for each line of code within the function. .

[0056] Then, the plain text content of each corresponding line of code is extracted and subjected to syntax pattern matching. Empty lines, pure comment lines, and meaningless lines of code containing only basic delimiters are identified, and a syntax constraint penalty mechanism is constructed. If the... Lines of code with meaningless behavior are penalized with a minimum value for their score. This makes the corrected score .

[0057] Finally, the corrected scoring sequence is reordered in descending order, and the top-ranked scores are output. The code lines are used as the final sequence for locating the vulnerable code lines.

[0058] The coarse-grained collaborative code vulnerability localization method provided in this embodiment can be applied to software security auditing scenarios, such as embedding it in continuous integration and continuous deployment (CI / CD) pipelines. It automatically scans the source code submitted by developers each time, outputting the specific line number of the vulnerability, allowing security auditors or developers to quickly locate and fix it. The effectiveness of this invention is further demonstrated below with an example.

[0059] Pre-set classification thresholds for coarse-grained vulnerability screening models With parameters such as c=0.5 and extracting the top K=2 lines of code as output, the C language function code to be tested is: Line 1: void process_data(char *input) { Line 2: char buffer

[16] ; Line 3: / / Perform data string copy Line 4: strcpy(buffer, input); Line 5:} The function was input into the trained coarse-grained vulnerability screening model, and the probability of a function-level vulnerability was 0.92. Since 0.92 is greater than the threshold of 0.5, the function was determined to be a candidate vulnerability function.

[0060] Subsequently, it is input into a fine-grained vulnerability location model, which outputs an initial score for each line of code: Line 1: 0.15, Line 2: 0.22, Line 3: 0.41, Line 4: 0.89, Line 5: 0.08.

[0061] After filtering, the third line was identified as a comment and the fifth line as parentheses. Let their scores be... ∞.

[0062] The corrected score sequence becomes: row 1 (0.15), row 2 (0.22), row 3 ( ∞), line 4 (0.89), line 5 ( ∞).

[0063] Finally, the code is reordered in descending order, and the top two lines of code are located at line 4 and line 2.

[0064] Security auditors can directly locate line 4 (strcpy(buffer, input);) for focused investigation to confirm that it has a high risk of buffer overflow.

[0065] The precise end-to-end positioning described above reduces false alarms and manual investigation costs in security audits.

[0066] In summary, this invention effectively reduces resource consumption, significantly improves the accuracy of line-level vulnerability localization, and reduces false alarms and manual investigation costs in security auditing by employing methods such as vulnerability awareness pre-training, coarse-grained collaborative localization, dual-gating fusion, and multi-task loss.

[0067] Example 2 This embodiment provides a coarse- and fine-grained collaborative code vulnerability localization system, including: The pre-training module is configured to: acquire historical code data containing line-level vulnerability labels, pre-train the encoder using a layered masking strategy, and obtain an initial encoder. The coarse-grained screening module is configured to: build a coarse-grained vulnerability screening model: load the parameters of the initial encoder and fine-tune the training using data with function-level vulnerability labels; The fine-grained vulnerability localization module is configured to: construct a fine-grained vulnerability localization model: inherit the encoder parameters of the coarse-grained vulnerability screening model, and perform fine-grained fine-tuning training using mixed training data containing row-level labels and function-level labels; the fine-grained vulnerability localization model includes a dual-path adaptive gating fusion network and a multi-instance learning weak supervision mechanism; The collaborative detection module is configured to: input the source code to be detected into the coarse-grained vulnerability screening model; if it is determined to be a candidate vulnerability function, input the source code into the fine-grained vulnerability localization model to obtain the initial vulnerability score for each line of code; and penalize and reorder the initial vulnerabilities based on preset constraint rules, and output the vulnerability code line localization sequence.

[0068] It should be noted that each module in this embodiment corresponds one-to-one with each step in Embodiment 1, and their specific implementation process is the same, so it will not be repeated here.

[0069] Example 3 This embodiment also provides a computer-readable storage medium for storing computer instructions, which, when executed by a processor, complete the method described in Embodiment 1.

[0070] The above description is merely a preferred embodiment of the present invention and is not intended to limit the invention. Various modifications and variations can be made to the present invention by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of the present invention should be included within the scope of protection of the present invention.

Claims

1. A coarse- and fine-grained collaborative method for locating code vulnerabilities, characterized in that, include: Historical code data containing line-level vulnerability labels is obtained, and the encoder model is pre-trained using a layered masking strategy to obtain the initial encoder; Construct a coarse-grained vulnerability screening model: Load the parameters of the initial encoder and fine-tune the training using data with function-level vulnerability labels; Construct a fine-grained vulnerability localization model: Inherit the encoder parameters of the coarse-grained vulnerability screening model and perform fine-tuning training using mixed training data containing row-level labels and function-level labels; the fine-grained vulnerability localization model includes a dual-path adaptive gating fusion network and a multi-instance learning weak supervision mechanism; The source code to be tested is input into the coarse-grained vulnerability screening model. If it is determined to be a candidate vulnerability function, the source code is input into the fine-grained vulnerability localization model to obtain the initial vulnerability score for each line of code. The initial vulnerability scores are penalized and reordered based on preset constraint rules, and a sequence of vulnerability code line locations is output.

2. The method according to claim 1, characterized in that, The hierarchical masking strategy includes: for samples containing real vulnerability line annotations, mapping the vulnerability lines to corresponding words and performing masking, and using a low-frequency random mask for the remaining words; for samples that do not contain vulnerability line annotations but contain vulnerability type annotations, based on a predefined mapping relationship between vulnerability types and sensitive keywords, performing masking on words that overlap with sensitive keywords, and using a low-frequency random mask for the remaining words; for samples that do not contain vulnerability line annotations or vulnerability type annotations, performing a random mask for all words.

3. The method according to claim 1, characterized in that, When constructing a coarse-grained vulnerability screening model, the method also includes: constructing function-level global semantic features using multi-path feature pooling. Specifically, multi-path feature pooling includes: extracting the global special character features at the beginning of the sequence as the first feature; performing mean pooling on the effective code sequence to obtain the second feature; performing max pooling on the effective code sequence to obtain the third feature; and concatenating and fusing the first, second, and third features to obtain enhanced function-level global semantic features.

4. The method according to claim 3, characterized in that, Fine-tuning the coarse-grained vulnerability screening model also includes: Supplementary views are extracted from the source code based on lexical heuristics, and these supplementary views include risk views and protection views. An adaptive routing network is constructed based on the enhanced function-level global semantic features. The probability distribution of view strategies is calculated. The view strategies include not using supplementary views, using risky views, and using protected views. A joint quality evaluation coefficient is constructed based on the ratio of the effective term length of the supplementary views to the length of the main view composed of the original source code sequence. The optimal view strategy is selected based on the probability distribution and the joint quality evaluation coefficient. During the residual execution phase, only the feature branch corresponding to this strategy is activated, encoded and pooled, and then concatenated with the enhanced global semantic features and input into the multilayer perceptron. An amplitude scaling is applied to the original increment output by the multilayer perceptron, and the residual is added to the base prediction score of the main view to obtain the final function-level prediction score; wherein, the base prediction score is obtained by inputting the function-level global semantic features of the main view into the base classification head; The final function-level prediction score is converted into vulnerability prediction probability through an activation function and combined with the function-level real label to calculate the classification loss; global special character features are extracted to calculate the supervised contrast loss, and the joint loss is constructed by weighted summation with the classification loss. A fast gradient adversarial training mechanism is introduced during backpropagation to calculate the adversarial loss. Backpropagation is performed based on the joint loss and the adversarial loss respectively. The network weights are updated by gradient accumulation. After training converges, a coarse-grained vulnerability screening model is obtained.

5. The method according to claim 1, characterized in that, Building a fine-grained vulnerability localization model also includes: Without constructing a program dependency graph, the source code sequence is input into an encoder that inherits from a coarse-grained vulnerability screening model for feature extraction to obtain a word-level hidden layer state sequence. Based on the physical location mapping from lexical units to code lines, mean pooling and max pooling are performed on all lexical features belonging to the same code line and then concatenated to generate independent representation vectors for each code line. The independent representation vectors of each line of code are input into the line-level feature encoder, and the contextual logical dependencies between lines of code are established through the line-level self-attention mechanism.

6. The method according to claim 1, characterized in that, The dual-path adaptive gating fusion network includes: Local evidence channel: Extract local line features within a preset window range of each line of code for attention interaction; A multi-slot global memory channel extracts function-level global special character features, global mean pooling features, global max pooling features, and high-risk code line features extracted based on a pre-scoring mechanism, forming a multi-slot global memory matrix for attention interaction; An adaptive gating mechanism is used to calculate the fusion weights of local and global evidence, and to perform residual fusion of local features, global features and code line representations. The resulting sequence is then output as a predicted score for each code line through a mapping network. The multi-instance learning weak supervision mechanism treats the current function as a package and each line of code as an instance. It uses an attention mechanism to perform weighted aggregation of the fused line features and calculates the function-level classification loss based on the function-level feature representation, so as to use function-level labels to perform weak supervision training on the fine-grained vulnerability localization model.

7. The method according to claim 6, characterized in that, In the fine-tuning training of the fine-grained vulnerability localization model, based on the predicted scoring sequence and the actual row-level vulnerability labels, the row-level multi-task localization loss function is used to calculate the network error and perform backpropagation. The row-level multi-task localization loss function includes: Dice loss for directly optimizing the intersection-union ratio of positive and negative samples to overcome extreme area imbalance; contrast ranking loss for ensuring that the score of real vulnerability rows is higher than that of non-vulnerability rows and introducing a difficult negative sample mining mechanism; and list-level ranking loss for minimizing KL divergence optimization by treating all lines of code in the current function as a probability distribution. The overall network weights are updated by combining the function-level classification loss and the row-level multi-task localization loss, and the fine-grained vulnerability localization model is obtained after training convergence.

8. The method according to claim 1, characterized in that, The source code to be tested is input into the coarse-grained vulnerability screening model. If it is determined to be a candidate vulnerable function, the source code is input into the fine-grained vulnerability localization model to obtain the initial vulnerability score for each line of code, specifically: The source code to be detected is input into a coarse-grained vulnerability screening model to obtain the probability of function-level vulnerabilities. If the probability is lower than a preset classification threshold, it is determined to be without vulnerabilities. If the probability is higher than or equal to the preset classification threshold, it is determined to be a candidate vulnerable function. The source code is then input into a fine-grained vulnerability localization model to output the initial vulnerability score for each line of code.

9. A coarse- and fine-grained collaborative code vulnerability localization system, characterized in that, include: The pre-training module is configured to: acquire historical code data containing line-level vulnerability labels, pre-train the encoder model using a layered masking strategy, and obtain the initial encoder. The coarse-grained screening module is configured to: build a coarse-grained vulnerability screening model: load the parameters of the initial encoder and fine-tune the training using data with function-level vulnerability labels; The fine-grained localization module is configured to: construct a fine-grained vulnerability localization model: inherit the encoder parameters of the coarse-grained vulnerability screening model, and perform fine-tuning training using mixed training data containing row-level labels and function-level labels; the fine-grained vulnerability localization model includes a dual-path adaptive gating fusion network and a multi-instance learning weak supervision mechanism; The collaborative detection module is configured to: input the source code to be detected into the coarse-grained vulnerability screening model; if it is determined to be a candidate vulnerability function, then input the source code into the fine-grained vulnerability localization model to obtain the initial vulnerability score for each line of code. The initial vulnerability scores are penalized and reordered based on preset constraint rules, and a sequence of vulnerability code line locations is output.

10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the program is executed by the processor, it implements the steps in the coarse-grained collaborative code vulnerability location method as described in any one of claims 1-8.