Chao Ni,Xinrong Guo,Yan Zhu,Xiaodan Xu,Xiaohu Yang

DOI: https://doi.org/10.1109/ase56229.2023.00084

2024-01-01

Abstract:Software vulnerabilities damage the functionality of software systems. Recently, many deep learning-based approaches have been proposed to detect vulnerabilities at the function level by using one or a few different modalities (e.g., text representation, graph-based representation) of the function and have achieved promising performance. However, some of these existing studies have not completely leveraged these diverse modalities, particularly the underutilized image modality, and the others using images to represent functions for vulnerability detection have not made adequate use of the significant graph structure underlying the images. In this paper, we propose MVulD, a multi-modal-based function-level vulnerability detection approach, which utilizes multi-modal features of the function (i.e., text representation, graph representation, and image representation) to detect vulnerabilities. Specifically, MVulD utilizes a pre-trained model (i.e., UniXcoder) to learn the semantic information of the textual source code, employs the graph neural network to distill graph-based representation, and makes use of computer vision techniques to obtain the image representation while retaining the graph structure of the function. We conducted a large-scale experiment on 25,816 functions. The experimental results show that MVulD improves four state-of-the-art baselines by 30.8%-81.3%, 12.8%-27.4%, 48.8%-115%, and 22.9%-141% in terms of F1-score, Accuracy, Precision, and PR-AUC respectively.

Jinyan Cheng,Xiaobin Tan,Hao Wang,Jian Wang,Xiaofeng Jiang,Zhaoyan Jin

DOI: https://doi.org/10.1109/bigcom61073.2023.00015

2023-01-01

Abstract:Vulnerability assessment is a critical aspect of cybersecurity, and its importance has grown significantly. However, traditional methods based on attack graph are expensive and lack interpretability. And emerging methods based on knowledge graph, there is currently no widely accepted scheme in the industry. To address this issue, we propose a new scheme named KG-Rank, which leverages the correlations between vulnerabilities and assets through a knowledge graph and improves PageRank to assess and rank vulnerabilities. The KG-Rank scheme involves constructing Vulnerability Knowledge Graph (VKG) and Weakness Knowledge Graph (WKG), and obtaining new relations between weaknesses through relational reasoning on WKG by using a relational reasoning model called Doc2TransR to complete VKG. We then transform the nodes and edges in VKG and assess nodes on the transformed graph using a designed random walk strategy. Our experimental results demonstrate the effectiveness and reliability of KG-Rank, which considers not only the severity of vulnerabilities but also the importance of assets and the exposure scope of vulnerabilities and assets.

Jinfu Chen,Yemin Yin,Saihua Cai,Weijia Wang,Shengran Wang,Jiming Chen

DOI: https://doi.org/10.1016/j.scico.2024.103156

IF: 1.039

2024-01-01

Science of Computer Programming

Abstract:Software vulnerability detection is a challenging task in the security field, the boom of deep learning technology promotes the development of automatic vulnerability detection. Compared with sequence-based deep learning models, graph neural network (GNN) can learn the structural features of code, it performs well in the field of vulnerability detection for source code. However, different GNNs have different detection results for the same code, and using a single kind of GNN may lead to high false positive rate and false negative rate. In addition, the complex structure of source code causes single GNN model cannot effectively learn their depth feature, thereby leading to low detection accuracy. To solve these limitations, we propose a software vulnerability detection model called iGnnVD based on the integrated graph neural networks. In the proposed iGnnVD model, the base detectors including GCN, GAT and APPNP are first constructed to capture the bidirectional information in the code graph structure with bidirectional structure; And then, the residual connection is used to aggregate the features while retaining the features each time; Finally, the convolutional layer is used to perform the aggregated classification. In addition, an integration module that analyses the detection results of three detectors for final classification is designed using a voting strategy to solve the problem of high false positive rate and false negative rate caused by using a single kind of base detector. We perform extensive experiments on three datasets and experimental results show that the proposed iGnnVD model can improve the detection accuracy of vulnerabilities in source code as well as reduce the false positive rate and false negative rate compared with existing deep learning-based vulnerability detection models, it also has good stability.

M. Xie,T. Rahat,W. Wang,Y. Tian

DOI: https://doi.org/10.48550/arXiv.2312.04818

2023-12-08

Cryptography and Security

Abstract:In an increasingly interconnected and data-driven world, the importance of robust security measures cannot be overstated. A knowledge graph constructed with information extracted from the system along with the desired security behavior can be utilized to identify complex security vulnerabilities hidden underneath the systems. Unfortunately, existing security knowledge graphs are constructed from coarse-grained information extracted from publicly available vulnerability reports, which are not equipped to check actual security violations in real-world system implementations. In this poster, we present a novel approach of using Program Knowledge Graph that is embedded with fine-grained execution information of the systems (e.g., callgraph, data-flow, etc.) along with information extracted from the public vulnerability and weakness datasets (e.g., CVE and CWE). We further demonstrate that our custom security knowledge graph can be checked against the standard queries generated by LLM, providing a powerful way to identify security vulnerabilities and weaknesses in critical systems.

Zhenpeng Shi,Nikolay Matyunin,Kalman Graffi,David Starobinski

DOI: https://doi.org/10.1145/3641819

IF: 2.717

2024-02-05

ACM Transactions on Privacy and Security

Abstract:Security assessment relies on public information about products, vulnerabilities, and weaknesses. So far, databases in these categories have rarely been analyzed in combination. Yet, doing so could help predict unreported vulnerabilities and identify common threat patterns. In this article, we propose a methodology for producing and optimizing a knowledge graph that aggregates knowledge from common threat databases (CVE, CWE, and CPE). We apply the threat knowledge graph to predict associations between threat databases, specifically between products, vulnerabilities, and weaknesses. We evaluate the prediction performance both in closed world with associations from the knowledge graph and in open world with associations revealed afterward. Using rank-based metrics (i.e., Mean Rank, Mean Reciprocal Rank, and Hits@N scores), we demonstrate the ability of the threat knowledge graph to uncover many associations that are currently unknown but will be revealed in the future, which remains useful over different time periods. We propose approaches to optimize the knowledge graph and show that they indeed help in further uncovering associations. We have made the artifacts of our work publicly available.

computer science, information systems

Xiaoxue Wu,Shiyu Weng,Bin Zheng,Wei Zheng,Xiang Chen,Xiaobin Sun

DOI: https://doi.org/10.1002/smr.2727

2024-08-30

Journal of Software Evolution and Process

Abstract:Proposing NG_MDERANK, a novel approach for extracting software vulnerability feature knowledge using N‐gram similarity, enhancing detection and analysis of vulnerabilities by identifying multiword phrases critical to security. NG_MDERANK can efficiently and stably analyze samples in environments with large sample sizes and complex samples and can yield high‐value semi‐structured data. Based on the extraction results, the corresponding software vulnerability domain knowledge graph is constructed, which helps to efficiently study software security problems and solve vulnerability problems. As software grows in size and complexity, software vulnerabilities are increasing, leading to a range of serious insecurity issues. Open‐source software vulnerability reports and documentation can provide researchers with great convenience for analysis and detection. However, the quality of different data sources varies, the data are duplicated and lack of correlation, which often requires a lot of manual management and analysis. In order to solve the problems of scattered and heterogeneous data and lack of correlation in traditional vulnerability repositories, this paper proposes a software vulnerability feature knowledge extraction method that combines the N‐gram model and mask similarity. The method generates mask text data based on the extraction of N‐gram candidate keywords and extracts vulnerability feature knowledge by calculating the similarity of mask text. This method analyzes the samples efficiently and stably in the environment of large sample size and complex samples and can obtain high‐value semi‐structured data. Then, the final node, relationship, and attribute information are obtained by secondary knowledge cleaning and extraction of the extracted semi‐structured data results. And based on the extraction results, the corresponding software vulnerability domain knowledge graph is constructed to deeply explore the semantic information features and entity relationships of vulnerabilities, which can help to efficiently study software security problems and solve vulnerability problems. The effectiveness and superiority of the proposed method is verified by comparing it with several traditional keyword extraction algorithms on Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE) vulnerability data.

computer science, software engineering

Daniel Alfasi,Tal Shapira,Anat Bremler Barr

2024-03-04

Abstract:The proliferation of software vulnerabilities poses a significant challenge for security databases and analysts tasked with their timely identification, classification, and remediation. With the National Vulnerability Database (NVD) reporting an ever-increasing number of vulnerabilities, the traditional manual analysis becomes untenably time-consuming and prone to errors. This paper introduces VulnScopper, an innovative approach that utilizes multi-modal representation learning, combining Knowledge Graphs (KG) and Natural Language Processing (NLP), to automate and enhance the analysis of software vulnerabilities. Leveraging ULTRA, a knowledge graph foundation model, combined with a Large Language Model (LLM), VulnScopper effectively handles unseen entities, overcoming the limitations of previous KG approaches. We evaluate VulnScopper on two major security datasets, the NVD and the Red Hat CVE database. Our method significantly improves the link prediction accuracy between Common Vulnerabilities and Exposures (CVEs), Common Weakness Enumeration (CWEs), and Common Platform Enumerations (CPEs). Our results show that VulnScopper outperforms existing methods, achieving up to 78% Hits@10 accuracy in linking CVEs to CPEs and CWEs and presenting an 11.7% improvement over large language models in predicting CWE labels based on the Red Hat database. Based on the NVD, only 6.37% of the linked CPEs are being published during the first 30 days; many of them are related to critical and high-risk vulnerabilities which, according to multiple compliance frameworks (such as CISA and PCI), should be remediated within 15-30 days. Our model can uncover new products linked to vulnerabilities, reducing remediation time and improving vulnerability management. We analyzed several CVEs from 2023 to showcase this ability.

Cryptography and Security,Artificial Intelligence

Xiaosheng Chen,Wendi Shen,Genke Yang

DOI: https://doi.org/10.1109/IECON48115.2021.9589233

2021-01-01

Abstract:Security evaluation is an essential activity for understanding the risks of industrial networks. Constant changes in networks and updates of security vulnerabilities lead to increasing costs of security testing. To realize the combined exploitation of multiple vulnerabilities in the industrial control network, Knowledge Graph is proposed to be applied in knowledge-driven attack strategy generation in this paper. A graph paradigm of knowledge about vulnerability exploitation is established by integrating and extracting multi-dimensional domain knowledge. By occupying each device-level node, attack strategies based on domain knowledge improve the performance in comprehensive vulnerability exploitation and flexible response. The feasibility of our method is demonstrated through an industrial network example.

Dongdong Du,Xingzhang Ren,Yupeng Wu,Jien Chen,Wei Ye,Jinan Sun,Xiangyu Xi,Qing Gao,Shikun Zhang

DOI: https://doi.org/10.1007/978-3-319-91662-0_3

2018-01-01

Abstract:Software vulnerabilities and their corresponding software components information are usually stored in different locations with different representations. Building accurate traceability links between them to form a unified knowledge graph can be very helpful for vulnerability spreading analysis, component dependency management, and relationship inference. In this paper, we first propose a software vulnerability knowledge graph model which integrates CVE (Common Vulnerabilities and Exposures) information, Java Component metadata in Maven repository and project collaboration data on Github. To construct the knowledge graph, we then propose two ontology matching approaches. The first one links Maven project and Github project in a URL text-matching way. The second one introduces random forests algorithm to link CVE project version and Maven project version based on 16 well-defined features. Experimental results show that matching between CVE project version and Maven project version are highly promising with an accuracy rate as high as 99.8%. The traceability links between vulnerabilities and software components can be more accurate based on our approach.

Ryan Barron,Maksim E. Eren,Manish Bhattarai,Selma Wanna,Nicholas Solovyev,Kim Rasmussen,Boian S. Alexandrov,Charles Nicholas,Cynthia Matuszek

2024-03-26

Abstract:Much of human knowledge in cybersecurity is encapsulated within the ever-growing volume of scientific papers. As this textual data continues to expand, the importance of document organization methods becomes increasingly crucial for extracting actionable insights hidden within large text datasets. Knowledge Graphs (KGs) serve as a means to store factual information in a structured manner, providing explicit, interpretable knowledge that includes domain-specific information from the cybersecurity scientific literature. One of the challenges in constructing a KG from scientific literature is the extraction of ontology from unstructured text. In this paper, we address this topic and introduce a method for building a multi-modal KG by extracting structured ontology from scientific papers. We demonstrate this concept in the cybersecurity domain. One modality of the KG represents observable information from the papers, such as the categories in which they were published or the authors. The second modality uncovers latent (hidden) patterns of text extracted through hierarchical and semantic non-negative matrix factorization (NMF), such as named entities, topics or clusters, and keywords. We illustrate this concept by consolidating more than two million scientific papers uploaded to arXiv into the cyber-domain, using hierarchical and semantic NMF, and by building a cyber-domain-specific KG.

Artificial Intelligence

Ezekia Gilliard,Jinshuo Liu,Ahmed Abubakar Aliyu

DOI: https://doi.org/10.1049/cmu2.12736

IF: 1.345

2024-02-28

IET Communications

Abstract:In our interconnected world, cyber threats continuously evolve, presenting unprecedented challenges to cybersecurity. Conventional methods such as anomaly‐based and feature‐based approaches are encountering limitations and proving inadequate. The utilization of knowledge graph reasoning, leveraging graph structures, emerges as a promising paradigm shift in the landscape of cyberattack detection. This scholarly work delves into contemporary cybersecurity research, examining the potential of knowledge graph reasoning and proposing an innovative methodology with three principal objectives: optimizing data preparation for knowledge graph embedding models, establishing semantic foundations for network analysis via the system state graph ontology, and elevating network attack recognition through knowledge graph inference techniques. The study conducts experiments, comparing the proposed approach against existing methodologies, and demonstrates its efficacy in addressing the challenges associated with the escalating volume of network data. This approach signifies a promising trajectory towards automating network attack recognition and fortifying network security by seamlessly integrating knowledge graphs. In today's digital landscape, cybercriminals are constantly evolving their tactics, making it challenging for traditional cybersecurity methods to keep up. To address this issue, this study explores the potential of knowledge graph reasoning as a more adaptable and sophisticated approach to identify and counter network attacks. By leveraging graph structures imbued with human‐like thinking, this method enhances the resilience of cybersecurity systems. The study focuses on three critical aspects: data preparation, semantic foundations, and knowledge graph inference techniques. Through an in‐depth analysis of these components, the research aims to reveal how knowledge graph reasoning can improve cyberattack detection and enhance the overall efficacy of cybersecurity measures, including intrusion detection systems. The proposed approach has undergone extensive experimentation to validate its effectiveness compared to existing methods. The results of the experiment have shown a remarkable advancement in accuracy, speed, and recall for recognition, surpassing current methods. This achievement is a notable contribution in the realm of managing big data in cybersecurity. The study establishes a foundation for the automation of network attack detection, ultimately enhancing overall network security.

engineering, electrical & electronic

Kai Liu,Fei Wang,Zhaoyun Ding,Sheng Liang,Zhengfei Yu,Yun Zhou

DOI: https://doi.org/10.3390/electronics11152287

IF: 2.9

2022-07-23

Electronics

Abstract:In today's dynamic complex cyber environments, Cyber Threat Intelligence (CTI) and the risk of cyberattacks are both increasing. This means that organizations need to have a strong understanding of both their internal CTI and their external CTI. The potential for cybersecurity knowledge graphs is evident in their ability to aggregate and represent knowledge about cyber threats, as well as their ability to manage and reason with that knowledge. While most existing research has focused on how to create a full knowledge graph, how to utilize the knowledge graph to tackle real-world industrial difficulties in cyberattack and defense situations is still unclear. In this article, we give a quick overview of the cybersecurity knowledge graph's core concepts, schema, and building methodologies. We also give a relevant dataset review and open-source frameworks on the information extraction and knowledge creation job to aid future studies on cybersecurity knowledge graphs. We perform a comparative assessment of the many works that expound on the recent advances in the application scenarios of cybersecurity knowledge graph in the majority of this paper. In addition, a new comprehensive classification system is developed to define the linked works from 9 core categories and 18 subcategories. Finally, based on the analyses of existing research issues, we have a detailed overview of various possible research directions.

engineering, electrical & electronic,computer science, information systems,physics, applied

Aditya Pingle,Aritran Piplai,Sudip Mittal,Anupam Joshi,James Holt,Richard Zak

DOI: https://doi.org/10.48550/arXiv.1905.02497

2019-05-07

Computation and Language

Abstract:Security Analysts that work in a `Security Operations Center' (SoC) play a major role in ensuring the security of the organization. The amount of background knowledge they have about the evolving and new attacks makes a significant difference in their ability to detect attacks. Open source threat intelligence sources, like text descriptions about cyber-attacks, can be stored in a structured fashion in a cybersecurity knowledge graph. A cybersecurity knowledge graph can be paramount in aiding a security analyst to detect cyber threats because it stores a vast range of cyber threat information in the form of semantic triples which can be queried. A semantic triple contains two cybersecurity entities with a relationship between them. In this work, we propose a system to create semantic triples over cybersecurity text, using deep learning approaches to extract possible relationships. We use the set of semantic triples generated through our system to assert in a cybersecurity knowledge graph. Security Analysts can retrieve this data from the knowledge graph, and use this information to form a decision about a cyber-attack.

Yufan Zhuang,Sahil Suneja,Veronika Thost,Giacomo Domeniconi,Alessandro Morari,Jim Laredo

DOI: https://doi.org/10.48550/arXiv.2109.03341

2021-09-08

Abstract:Identifying vulnerable code is a precautionary measure to counter software security breaches. Tedious expert effort has been spent to build static analyzers, yet insecure patterns are barely fully enumerated. This work explores a deep learning approach to automatically learn the insecure patterns from code corpora. Because code naturally admits graph structures with parsing, we develop a novel graph neural network (GNN) to exploit both the semantic context and structural regularity of a program, in order to improve prediction performance. Compared with a generic GNN, our enhancements include a synthesis of multiple representations learned from the several parsed graphs of a program, and a new training loss metric that leverages the fine granularity of labeling. Our model outperforms multiple text, image and graph-based approaches, across two real-world datasets.

Artificial Intelligence,Software Engineering

Fangcheng Qiu,Zhongxin Liu,Xing Hu,Xin Xia,Gang Chen,Xinyu Wang

DOI: https://doi.org/10.1109/tse.2024.3427815

IF: 7.4

2024-08-18

IEEE Transactions on Software Engineering

Abstract:During software development and maintenance, vulnerability detection is an essential part of software quality assurance. Even though many program-analysis-based and machine-learning-based approaches have been proposed to automatically detect vulnerabilities, they rely on explicit rules or patterns defined by security experts and suffer from either high false positives or high false negatives. Recently, an increasing number of studies leverage deep learning techniques, especially Graph Neural Network (GNN), to detect vulnerabilities. These approaches leverage program analysis to represent the program semantics as graphs and perform graph analysis to detect vulnerabilities. However, they suffer from two main problems: (i) Existing GNN-based techniques do not effectively learn the structural and semantic features from source code for vulnerability detection. (ii) These approaches tend to ignore fine-grained information in source code. To tackle these problems, in this paper, we propose a novel vulnerability detection approach, named MGVD (M ultiple-G raph-Based V ulnerability D etection), to detect vulnerable functions. To effectively learn the structural and semantic features from source code, MGVD uses three different ways to represent each function into multiple forms, i.e., two statement graphs and a sequence of tokens. Then we encode such representations to a three-channel feature matrix. The feature matrix contains the structural feature and the semantic feature of the function. And we add a weight allocation layer to distribute the weights between structural and semantic features. To overcome the second problem, MGVD constructs each graph representation of the input function using multiple different graphs instead of a single graph. Each graph focuses on one statement in the function and its nodes denote the related statements and their fine-grained code elements. Finally, MGVD leverages CNN to identify whether this function is vulnerable based on such feature matrix. We conduct experiments on 3 vulnerability datasets with a total of 30,341 vulnerable functions and 127,931 non-vulnerable functions. The experimental results show that our method outperforms the state-of-the-art by 9.68% – 10.28% in terms of F1-score.

engineering, electrical & electronic,computer science, software engineering

Tiehua Zhang,Rui Xu,Jianping Zhang,Yuze Liu,Xin Chen,Jun Yin,Xi Zheng

DOI: https://doi.org/10.1145/3674729

IF: 3.685

2024-06-28

ACM Transactions on Software Engineering and Methodology

Abstract:Vulnerability detection is a critical problem in software security and attracts growing attention both from academia and industry. Traditionally, software security is safeguarded by designated rule-based detectors that heavily rely on empirical expertise, requiring tremendous effort from software experts to generate rule repositories for large code corpus. Recent advances in deep learning, especially Graph Neural Networks (GNN), have uncovered the feasibility of automatic detection of a wide range of software vulnerabilities. However, prior learning-based works only break programs down into a sequence of word tokens for extracting contextual features of codes, or apply GNN largely on homogeneous graph representation (e.g., AST) without discerning complex types of underlying program entities (e.g., methods, variables). In this work, we are one of the first to explore heterogeneous graph representation in the form of Code Property Graph and adapt a well-known heterogeneous graph network with a dual-supervisor structure for the corresponding graph learning task. Using the prototype built, we have conducted extensive experiments on both synthetic datasets and real-world projects. Compared with the state-of-the-art baselines, the results demonstrate superior performance in vulnerability detection (average F1 improvements over 10% in real-world projects) and language-agnostic transferability from C/C++ to other programming languages (average F1 improvements over 11%).

computer science, software engineering

Arnab Sharma,N'Dah Jean Kouagou,Axel-Cyrille Ngonga Ngomo

2024-10-29

Abstract:In recent years, knowledge graphs have gained interest and witnessed widespread applications in various domains, such as information retrieval, question-answering, recommendation systems, amongst others. Large-scale knowledge graphs to this end have demonstrated their utility in effectively representing structured knowledge. To further facilitate the application of machine learning techniques, knowledge graph embedding (KGE) models have been developed. Such models can transform entities and relationships within knowledge graphs into vectors. However, these embedding models often face challenges related to noise, missing information, distribution shift, adversarial attacks, etc. This can lead to sub-optimal embeddings and incorrect inferences, thereby negatively impacting downstream applications. While the existing literature has focused so far on adversarial attacks on KGE models, the challenges related to the other critical aspects remain unexplored. In this paper, we, first of all, give a unified definition of resilience, encompassing several factors such as generalisation, performance consistency, distribution adaption, and robustness. After formalizing these concepts for machine learning in general, we define them in the context of knowledge graphs. To find the gap in the existing works on resilience in the context of knowledge graphs, we perform a systematic survey, taking into account all these aspects mentioned previously. Our survey results show that most of the existing works focus on a specific aspect of resilience, namely robustness. After categorizing such works based on their respective aspects of resilience, we discuss the challenges and future research directions.

Machine Learning

Elijah Pelofske,Lorie M. Liebrock,Vincent Urias

2024-10-08

Abstract:Open source intelligence is a powerful tool for cybersecurity analysts to gather information both for analysis of discovered vulnerabilities and for detecting novel cybersecurity threats and exploits. However the scale of information that is relevant for information security on the internet is always increasing, and is intractable for analysts to parse comprehensively. Therefore methods of condensing the available open source intelligence, and automatically developing connections between disparate sources of information, is incredibly valuable. In this research, we present a system which constructs a Neo4j graph database formed by shared connections between open source intelligence text including blogs, cybersecurity bulletins, news sites, antivirus scans, social media posts (e.g., Reddit and Twitter), and threat reports. These connections are comprised of possible indicators of compromise (e.g., IP addresses, domains, hashes, email addresses, phone numbers), information on known exploits and techniques (e.g., CVEs and MITRE ATT&CK Technique ID's), and potential sources of information on cybersecurity exploits such as twitter usernames. The construction of the database of potential IoCs is detailed, including the addition of machine learning and metadata which can be used for filtering of the data for a specific domain (for example a specific natural language) when needed. Examples of utilizing the graph database for querying connections between known malicious IoCs and open source intelligence documents, including threat reports, are shown. We show three specific examples of interesting connections found in the graph database; the connections to a known exploited CVE, a known malicious IP address, and a malware hash signature.

Cryptography and Security

Tiehua Zhang,Rui Xu,Jianping Zhang,Yuze Liu,Xin Chen,Jun Yin,Xi Zheng

2024-06-06

Abstract:Vulnerability detection is a critical problem in software security and attracts growing attention both from academia and industry. Traditionally, software security is safeguarded by designated rule-based detectors that heavily rely on empirical expertise, requiring tremendous effort from software experts to generate rule repositories for large code corpus. Recent advances in deep learning, especially Graph Neural Networks (GNN), have uncovered the feasibility of automatic detection of a wide range of software vulnerabilities. However, prior learning-based works only break programs down into a sequence of word tokens for extracting contextual features of codes, or apply GNN largely on homogeneous graph representation (e.g., AST) without discerning complex types of underlying program entities (e.g., methods, variables). In this work, we are one of the first to explore heterogeneous graph representation in the form of Code Property Graph and adapt a well-known heterogeneous graph network with a dual-supervisor structure for the corresponding graph learning task. Using the prototype built, we have conducted extensive experiments on both synthetic datasets and real-world projects. Compared with the state-of-the-art baselines, the results demonstrate promising effectiveness in this research direction in terms of vulnerability detection performance (average F1 improvements over 10\% in real-world projects) and transferability from C/C++ to other programming languages (average F1 improvements over 11%).

Software Engineering,Machine Learning