Chao Ni,Xinrong Guo,Yan Zhu,Xiaodan Xu,Xiaohu Yang

DOI: https://doi.org/10.1109/ase56229.2023.00084

2024-01-01

Abstract:Software vulnerabilities damage the functionality of software systems. Recently, many deep learning-based approaches have been proposed to detect vulnerabilities at the function level by using one or a few different modalities (e.g., text representation, graph-based representation) of the function and have achieved promising performance. However, some of these existing studies have not completely leveraged these diverse modalities, particularly the underutilized image modality, and the others using images to represent functions for vulnerability detection have not made adequate use of the significant graph structure underlying the images. In this paper, we propose MVulD, a multi-modal-based function-level vulnerability detection approach, which utilizes multi-modal features of the function (i.e., text representation, graph representation, and image representation) to detect vulnerabilities. Specifically, MVulD utilizes a pre-trained model (i.e., UniXcoder) to learn the semantic information of the textual source code, employs the graph neural network to distill graph-based representation, and makes use of computer vision techniques to obtain the image representation while retaining the graph structure of the function. We conducted a large-scale experiment on 25,816 functions. The experimental results show that MVulD improves four state-of-the-art baselines by 30.8%-81.3%, 12.8%-27.4%, 48.8%-115%, and 22.9%-141% in terms of F1-score, Accuracy, Precision, and PR-AUC respectively.

Kedi Shen,Yun Zhang,Lingfeng Bao,Zhiyuan Wan,Zhuorong Li,Minghui Wu

DOI: https://doi.org/10.1109/ICSE-COMPANION58688.2023.00049

2023-01-01

Abstract:With the rapid development of open source projects, the continuous emergence of vulnerabilities in the project brings great challenges to the security of the project. Security patches are one of the best ways to deal with vulnerabilities, but are not well applied currently. Although there are sites like CVE/NVD that provide information about vulnerabilities, many of the vulnerabilities disclosed by CVE/NVD are not accompanied by security patches. This makes it difficult for developers to apply patches. In the present study, a sorting method based on extracting multidimensional features from auxiliary information in CVE/NVD was proposed. And we made a further step, we proposed VCMATCH, a model for mining semantic information in vulnerability description and code commit messages, which has good recall rate and applicability across projects. On this basis, we established Patchmatch, a tool for helping developers to quickly locate patches. Given a vulnerability, Patchmatch can forecast the implicit patches in the code repository's commits. Patchmatch also has a visual webpage for information statistics and a display web page to help developers manage all kinds of information in the code repository. A demo video of Patchmatch is at https://www.youtube.com/watch?v=nOBSMFtZV8A. Patchmatch is in https://github.com/Sklud1456/patchmatch.

Shengyi Pan,Lingfeng Bao,Xin Xia,David Lo,Shanping Li

DOI: https://doi.org/10.1109/icse48619.2023.00088

2023-01-01

Abstract:Identifying security patches via code commits to allow early warnings and timely fixes for Open Source Software (OSS) has received increasing attention. However, the existing detection methods can only identify the presence of a patch (i.e., a binary classification) but fail to pinpoint the vulnerability type. In this work, we take the first step to categorize the security patches into fine-grained vulnerability types. Specifically, we use the Common Weakness Enumeration (CWE) as the label and perform fine-grained classification using categories at the third level of the CWE tree. We first formulate the task as a Hierarchical Multi-label Classification (HMC) problem, i.e., inferring a path (a sequence of CWE nodes) from the root of the CWE tree to the node at the target depth. We then propose an approach named TREEVUL with a hierarchical and chained architecture, which manages to utilize the structure information of the CWE tree as prior knowledge of the classification task. We further propose a tree structure aware and beam search based inference algorithm for retrieving the optimal path with the highest merged probability. We collect a large security patch dataset from NVD, consisting of 6,541 commits from 1,560 GitHub OSS repositories. Experimental results show that TREEVUL significantly outperforms the best performing baselines, with improvements of 5.9%, 25.0%, and 7.7% in terms of weighted F1-score, macro F1-score, and MCC, respectively. We further conduct a user study and a case study to verify the practical value of TREEVUL in enriching the binary patch detection results and improving the data quality of NVD, respectively.

Yulun Wu,Ming Wen,Zeliang Yu,Xiaochen Guo,Hai Jin

DOI: https://doi.org/10.1145/3691620.3695013

2024-01-01

Abstract:Open-source software (OSS) has profoundly transformed the software development paradigm by facilitating effortless code reuse. However, in recent years, there has been an alarming increase in disclosed vulnerabilities within OSS, posing significant security risks to downstream users. Therefore, analyzing existing vulnerabilities and precisely assessing their threats to downstream applications become pivotal. Plenty of efforts have been made recently towards this problem, such as vulnerability reachability analysis and vulnerability reproduction. The key to these tasks is identifying the vulnerable function (i.e., the function where the root cause of a vulnerability resides). However, public vulnerability datasets (e.g., NVD) rarely include this information as pinpointing the exact vulnerable functions remains to be a longstanding challenge. Existing methods mainly detect vulnerable functions based on vulnerability patches or Proof-of-Concept (PoC). However, such methods face significant limitations due to data availability and the requirement for extensive manual efforts, thus hindering scalability. To address this issue, we propose a novel approach VFFinder that localizes vulnerable functions based on Common Vulnerabilities and Exposures (CVE) descriptions and the corresponding source code utilizing Large Language Models (LLMs). Specifically, VFFinder adopts a customized in-context learning (ICL) approach based on CVE description patterns to enable LLM to extract key entities. It then performs priority matching with the source code to localize vulnerable functions. We assess the performance of VFFinder on 75 large open-source projects. The results demonstrate that VFFinder surpasses existing baselines significantly. Notably, the Top-1 and MRR metrics have been improved substantially, averaging 4.25X and 2.37X respectively. We also integrate VFFinder with Software Composition Analysis (SCA) tools, and the results show that our tool can reduce the false positive rates of existing SCA tools significantly.

Yang Xiao,Bihuan Chen,Chendong Yu,Zhengzi Xu,Zimu Yuan,Feng Li,Binghong Liu,Yang Liu,Wei Huo,Wei Zou,Wenchang Shi

2020-01-01

Abstract:Recurring vulnerabilities widely exist and remain undetected in real-world systems, which are often resulted from reused code base or shared code logic. However, the potentially small differences between vulnerable functions and their patched functions as well as the possibly large differences between vulnerable functions and target functions to be detected bring challenges to clone-based and function matching-based approaches to identify these recurring vulnerabilities, i.e., causing high false positives and false negatives.In this paper, we propose a novel approach to detect recurring vulnerabilities with low false positives and low false negatives. We first use our novel program slicing to extract vulnerability and patch signatures from vulnerable function and its patched function at syntactic and semantic levels. Then a target function is identified as potentially vulnerable if it matches the vulnerability signature but does not match the patch signature. We implement our approach in a tool named MVP. Our evaluation on ten open-source systems has shown that, i) MVP significantly outperformed state-of-the-art clone-based and function matching-based recurring vulnerability detection approaches; ii) MVP detected recurring vulnerabilities that cannot be detected by general-purpose vulnerability detection approaches, i.e., two learning-based approaches and two commercial tools; and iii) MVP has detected 97 new vulnerabilities with 23 CVE identifiers assigned.

Yun Zhang,David Lo,Xin Xia,Bowen Xu,Jianling Sun,Shanping Li

DOI: https://doi.org/10.1109/ICECCS.2015.15

2015-01-01

Abstract:In recent years, to help developers reduce time and effort required to build highly secure software, a number of prediction models which are built on different kinds of features have been proposed to identify vulnerable source code files. In this paper, we propose a novel approach VULPREDICTOR to predict vulnerable files, it analyzes software metrics and text mining together to build a composite prediction model. VULPREDICTOR first builds 6 underlying classifiers on a training set of vulnerable and non-vulnerable files represented by their software metrics and text features, and then constructs a meta classifier to process the outputs of the 6 underlying classifiers. We evaluate our solution on datasets from three web applications including Drupal, PHPMyAdmin and Moodle which contain a total of 3,466 files and 223 vulnerabilities. The experiment results show that VULPREDICTOR can achieve F1 and EffectivenessRatio@20% scores of up to 0.683 and 75%, respectively. On average across the 3 projects, VULPREDICTOR improves the F1 and EffectivenessRatio@20% scores of the best performing state-of-the-art approaches proposed by Walden et al. by 46.53% and 14.93%, respectively.

Yifei Xu,Zhengzi Xu,Bihuan Chen,Fu Song,Yang Liu,Ting Liu

DOI: https://doi.org/10.1145/3395363.3397361

2020-01-01

Abstract:The binary-level function matching has been widely used to detect whether there are 1-day vulnerabilities in released programs. However, the high false positive is a challenge for current function matching solutions, since the vulnerable function is highly similar to its corresponding patched version. In this paper, the Binary X-Ray (BinXray), a patch based vulnerability matching approach, is proposed to identify the specific 1-day vulnerabilities in target programs accurately and effectively. In the preparing step, a basic block mapping algorithm is designed to extract the signature of a patch, by comparing the given vulnerable and patched programs. The signature is represented as a set of basic block traces. In the detection step, the patching semantics is applied to reduce irrelevant basic block traces to speed up the signature searching. The trace similarity is also designed to identify whether a target program is patched. In experiments, 12 real software projects related to 479 CVEs are collected. BinXray achieves 93.31% accuracy and the analysis time cost is only 296.17ms per function, outperforming the state-of-the-art works.

Xi Xu,Qinghua Zheng,Zheng Yan,Ming Fan,Ang Jia,Zhaohui Zhou,Haijun Wang,Ting Liu

DOI: https://doi.org/10.1109/tse.2023.3332732

IF: 7.4

2023-01-01

IEEE Transactions on Software Engineering

Abstract:Software vulnerabilities are easily propagated through code reuses, which pose dire threats to software system security. Automatic patch presence test offers an effective way to detect whether vulnerabilities have been patched, which is significant for large-scale software system maintenance. However, most existing approaches cannot handle binary codes. They suffer from low accuracy and poor efficiency. None of them are resilient to version gap, function size, and patch size. To tackle the above problems, we propose PatchDiscovery, a patch presence test approach to identify binary vulnerabilities by extracting key basic blocks of patch and vulnerability as their signatures for patch discovery. We propose an efficient and accurate basic block matching method over the normalized and simplified control flow graphs (CFGs) of a vulnerable function (VF) and its patched function (PF) to precisely locate a vulnerability and a patch. Then, we conduct fine-grained patch-level analysis on the patch and the vulnerability to gain their key basic blocks as the signatures of PF and VF for patch presence test. Concretely, the key basic blocks of PF and VF are separately searched in a target function (TF) to identify whether the TF is more similar to PF or VF, i.e., patched or not. Extensive experiments based on two real-world binary datasets that contain 524 common vulnerabilities and exposures (CVEs) with 11607 target functions reveal that PatchDiscovery is very effective and efficient. It achieves $92.2\%$92.2% F-measure and takes only 0.091s on average to test a target function. It is also resilient to version gap, patch size, and function size to a good extent. Moreover, it is outperforming the state-of-the-art works and has a much faster testing speed for large-scale patch detection. Moreover, PatchDiscovery achieves good performance in firmware vulnerability discovery scenario.

Yao Li,Weiyang Xu,Yong Tang,Xianya Mi,Baosheng Wang

DOI: https://doi.org/10.18293/seke2017-117

2017-01-01

Abstract:when manufacturers release patches, they are usually released as binary executable programs. Vendors generally do not disclose the exact location of the vulnerabilities, even they may conceal some of the vulnerabilities, which is not conducive to study the in-depth situation of security for the need of consumers. In this paper we introduce a vulnerability discover method using machine learning based on patch information SemHunt. Firstly, we use it to compare two versions of the same program to get the potential vulnerability-patched function pairs using binary comparison technology. Then, we combine it with vulnerability and patch knowledge database to classify these function pairs and identify the possible vulnerable functions and the vulnerability types. We completed a prototype of SemHunt, which can effectively identify vulnerable function types and the location of corresponding vulnerabilities, which are not revealed in the released patch files. Finally, we test some programs containing real-world CWE vulnerabilities, and one of the experimental results about CWE843 shows that the results returned from only searching source program are about twice as much as the results from SemHunt. We can see that using SemHunt can significantly reduce false positive rate of discovering vulnerabilities compared with analyzing source files alone.

Zan LI,Pan BIAN,Wen-Chang SHI,Bin LIANG

DOI: https://doi.org/10.13328/j.cnki.jos.005505

2018-01-01

Abstract:In recent years,taking the known vulnerable function as the criteria to retrieve the similar implementation has been proven to be an effective vulnerabilities detection method.However,a vulnerable function often contains some statements that are irrelevant to the vulnerability of interest,which may heavily interfere with the similarity computation and lead to false positives and false negatives.This paper presents an approach to improve the precision of the retrieval-based vulnerabilities detection by leveraging the patch of the vulnerable function.The program slicing technique is adopted to exclude irrelevant statements from the original vulnerable function according to the patch.A denoised feature vector is generated from the obtained slice and is used to search the potential unknown vulnerabilities in the code base.This approach has been applied to some real-world projects.Experimental results show that the approach can effectively reduce the interference of irrelevant statements and improve the detection precision.Three confirmed unknown vulnerabilities are successfully detected from the projects.

Tianyu Chen,Lin Li,Taotao Qian,Jingyi Liu,Wei Yang,Ding Li,Guangtai Liang,Qianxiang Wang,Tao Xie

2024-06-09

Abstract:Applying security patches in open source software timely is critical for ensuring the security of downstream applications. However, it is challenging to apply these patches promptly because notifications of patches are often incomplete and delayed. To address this issue, existing approaches employ deep-learning (DL) models to identify additional vulnerability patches by determining whether a code commit addresses a vulnerability. Nonetheless, these approaches suffer from low accuracy due to the imprecise context provided for the patches. To provide precise context for patches, we propose a multi-granularity slicing algorithm and an adaptive-expanding algorithm to accurately identify code related to the patches. Additionally, the precise context enables to design an iterative identification framework, CompVPD, which utilizes the human validation results, and substantially improve the effectiveness. We empirically compare CompVPD with four state-of-the-art/practice (SOTA) approaches in identifying vulnerability patches. The results demonstrate that CompVPD improves the F1 score by 20% compared to the best scores of the SOTA approaches. Additionally, CompVPD contributes to security practice by helping identify 20 vulnerability patches and 18 fixes for high-risk bugs from 2,500 recent code commits in five highly popular open-source projects.

Cryptography and Security

Yan Wang,Peng Jia,Xi Peng,Cheng Huang,Jiayong Liu

DOI: https://doi.org/10.1016/j.cose.2022.103023

IF: 5.105

2022-01-01

Computers & Security

Abstract:Static detection of security vulnerabilities in binary programs is an important research field in software supply chain security. However, existing vulnerability detection methods based on code similarity can only detect known vulnerabilities. Vulnerability features generated by vulnerability pattern-based detection methods are low robust due to the influence of manually defined patterns, compiler diversity, and irrelevant function instructions. In this paper, we propose BinVulDet, which is a binary level vulnerability detection tool for accurate known and unknown vulnerability detection. BinVulDet uses decompilation techniques to obtain pseudo code containing high-level semantic information against the impact of compilation diversity. Then the program slicing technique is used to extract the statements with data dependencies and control dependencies related to the vulnerability. A BiLSTM-attention neural network is used to extract rich contextual semantic information from slice codes to generate more robust vulnerability patterns to detect vulnerabilities. The experimental results show that BinVulDet outperforms the state-of-the-art binary vulnerability detection methods. The FPR and FNR of BinVulDet are 1.04% and 0.89% on average, respectively, which are 3.93% and 22.86% lower than the baseline model on average. BinVulDet can effectively against the influence of compilation diversity and successfully be used for real-world vulnerability detection by being evaluated in three CVE vulnerability projects.

Yikun Hu,Yuanyuan Zhang,Dawu Gu

DOI: https://doi.org/10.1109/access.2019.2901951

IF: 3.9

2019-01-01

IEEE Access

Abstract:The security of binary programs is significantly threatened by software vulnerabilities. When vulnerabilities are found, those applications are exposed to malicious attacks that exploit the known vulnerabilities. Thus, it is necessary to patch them when vulnerabilities are reported to the public as soon as possible. However, it still heavily relies on manual work to locate and correct the corresponding defective code in the binary programs. In order to raise productivity and ensure software security, it becomes imperative to automate the process. In this paper, we propose BINPATCH to automatically patch known vulnerabilities of binary programs. It first locates the defective function, which contains the vulnerability, via similar code comparison. Then, it reuses the corresponding code from the correct version of the defective function as the patch code and inserts it to the defective function via binary rewriting. BINPATCH is evaluated on eight real-world vulnerabilities, and the experimental results show that it is able to not only locate the defective code effectively but also patch the code correctly.

Junaid Akram,Liang Qi,Ping Luo

DOI: https://doi.org/10.1109/ICST.2019.00049

2019-01-01

Abstract:Vulnerable source code fragments remain unfixed for many years and they always propagate to other systems. Unfortunately, this happens often, when patch files are not propagated to all vulnerable code clones. An unpatched bug is a critical security problem, which should be detected and repaired as early as possible. In this paper, we present VCIPR, a scalable system for vulnerability detection in unpatched source code. We present a unique way, that uses a fast, token-based approach to detect vulnerabilities at function level granularity. This approach is language independent, which supports multiple programming languages including Java, C/C++, JavaScript. VCIPR detects most common repair patterns in patch files for the vulnerability code evaluation. We build fingerprint index of top critical CVE's source code, which were retrieved from a reliable source. Then we detect unpatched (vulnerable/non-vulnerable) code fragments in common open source software with high accuracy. A comparison with the state-of-the-art tools proves the effectiveness, efficiency and scalability of our approach. Furthermore, this paper shows that how the hackers can easily identify the vulnerable software whenever a patch file is released.

Zian Liu,Lei Pan,Chao Chen,Ejaz Ahmed,Shigang Liu,Jun Zhang,Dongxi Liu

2024-01-18

Abstract:Similar vulnerability repeats in real-world software products because of code reuse, especially in wildly reused third-party code and libraries. Detecting repeating vulnerabilities like 1-day and N-day vulnerabilities is an important cyber security task. Unfortunately, the state-of-the-art methods suffer from poor performance because they detect patch existence instead of vulnerability existence and infer the vulnerability signature directly from binary code. In this paper, we propose VulMatch to extract precise vulnerability-related binary instructions to generate the vulnerability-related signature. VulMatch detects vulnerability existence based on binary signatures. Unlike previous approaches, VulMatch accurately locates vulnerability-related instructions by utilizing source and binary codes. Our experiments were conducted using over 1000 vulnerable instances across seven open-source projects. VulMatch significantly outperformed the baseline tools Asm2vec and Palmtree. Besides the performance advantages over the baseline tools, VulMatch offers a better feature by providing explainable reasons during vulnerability detection. Our empirical studies demonstrate that VulMatch detects fine-grained vulnerability that the state-of-the-art tools struggle with. Our experiment on commercial firmware demonstrates VulMatch is able to find vulnerabilities in real-world scenario.

Cryptography and Security

Zixuan Tan,Jiayuan Zhou,Xing Hu,Shengyi Pan,Kui Liu,Xin Xia

2024-12-30

Abstract:Identifying recurring vulnerabilities is crucial for ensuring software security. Clone-based techniques, while widely used, often generate many false alarms due to the existence of similar but patched (SBP) code, which is similar to vulnerable code but is not vulnerable due to having been patched. Although the SBP code poses a great challenge to the effectiveness of existing approaches, it has not yet been well explored. In this paper, we propose a programming language agnostic framework, Fixed Vulnerability Filter (FVF), to identify and filter such SBP instances in vulnerability detection. Different from existing studies that leverage function signatures, our approach analyzes code change histories to precisely pinpoint SBPs and consequently reduce false alarms. Evaluation under practical scenarios confirms the effectiveness and precision of our approach. Remarkably, FVF identifies and filters 65.1% of false alarms from four vulnerability detection tools (i.e., ReDeBug, VUDDY, MVP, and an elementary hash-based approach) without yielding false positives. We further apply FVF to 1,081 real-world software projects and construct a real-world SBP dataset containing 6,827 SBP functions. Due to the SBP nature, the dataset can act as a strict benchmark to test the sensitivity of the vulnerability detection approach in distinguishing real vulnerabilities and SBPs. Using this dataset, we demonstrate the ineffectiveness of four state-of-the-art deep learning-based vulnerability detection approaches. Our dataset can help developers make a more realistic evaluation of vulnerability detection approaches and also paves the way for further exploration of real-world SBP scenarios.

Software Engineering,Cryptography and Security

Shouguo Yang,Zhengzi Xu,Yang Xiao,Zhe Lang,Wei Tang,Yang Liu,Zhiqiang Shi,Hong Li,Limin Sun

DOI: https://doi.org/10.1145/3604608

IF: 3.685

2023-06-17

ACM Transactions on Software Engineering and Methodology

Abstract:Vulnerability is a major threat to software security. It has been proven that binary code similarity detection approaches are efficient to search for recurring vulnerabilities introduced by code sharing in binary software. However, these approaches suffer from high false-positive rates since they usually take the patched functions as vulnerable, and they usually do not work well when binaries are compiled with different compilation settings. To this end, we propose an approach, named Robin , to confirm recurring vulnerabilities by filtering out patched functions. Robin is powered by a lightweight symbolic execution to solve the set of function inputs that can lead to the vulnerability-related code. It then executes the target functions with the same inputs to capture the vulnerable or patched behaviors for patched function filtration. Experimental results show that Robin achieves high accuracy for patch detection across different compilers and compiler optimization levels respectively on 287 real-world vulnerabilities of 10 different software. Based on accurate patch detection, Robin significantly reduces the false-positive rate of state-of-the-art vulnerability detection tools (by 94.3% on average), making them more practical. Robin additionally detects 12 new potentially vulnerable functions.

computer science, software engineering

Zhen Li,Deqing Zou,Shouhuai Xu,Hai Jin,Hanchao Qi,Jie Hu

DOI: https://doi.org/10.1145/2991079.2991102

2016-01-01

Abstract:Software vulnerabilities are the fundamental cause of many attacks. Even with rapid vulnerability patching, the problem is more complicated than it looks. One reason is that instances of the same vulnerability may exist in multiple software copies that are difficult to track in real life (e.g., different versions of libraries and applications). This calls for tools that can automatically search for vulnerable software with respect to a given vulnerability. In this paper, we move a step forward in this direction by presenting Vulnerability Pecker (VulPecker), a system for automatically detecting whether a piece of software source code contains a given vulnerability or not. The key insight underlying VulPecker is to leverage (i) a set of features that we define to characterize patches, and (ii) code-similarity algorithms that have been proposed for various purposes, while noting that no single code-similarity algorithm is effective for all kinds of vulnerabilities. Experiments show that VulPecker detects 40 vulnerabilities that are not published in the National Vulnerability Database (NVD). Among these vulnerabilities, 18 are not known for their existence and have yet to be confirmed by vendors at the time of writing (these vulnerabilities are "anonymized" in the present paper for ethical reasons), and the other 22 vulnerabilities have been "silently" patched by the vendors in the later releases of the vulnerable products.

Yu Liu,Lang Gao,Mingxin Yang,Yu Xie,Ping Chen,Xiaojin Zhang,Wei Chen

2024-08-21

Abstract:Large Language Models (LLMs) have training corpora containing large amounts of program code, greatly improving the model's code comprehension and generation capabilities. However, sound comprehensive research on detecting program vulnerabilities, a more specific task related to code, and evaluating the performance of LLMs in this more specialized scenario is still lacking. To address common challenges in vulnerability analysis, our study introduces a new benchmark, VulDetectBench, specifically designed to assess the vulnerability detection capabilities of LLMs. The benchmark comprehensively evaluates LLM's ability to identify, classify, and locate vulnerabilities through five tasks of increasing difficulty. We evaluate the performance of 17 models (both open- and closed-source) and find that while existing models can achieve over 80% accuracy on tasks related to vulnerability identification and classification, they still fall short on specific, more detailed vulnerability analysis tasks, with less than 30% accuracy, making it difficult to provide valuable auxiliary information for professional vulnerability mining. Our benchmark effectively evaluates the capabilities of various LLMs at different levels in the specific task of vulnerability detection, providing a foundation for future research and improvements in this critical area of code security. VulDetectBench is publicly available at <a class="link-external link-https" href="https://github.com/Sweetaroo/VulDetectBench" rel="external noopener nofollow">this https URL</a>.

Cryptography and Security,Artificial Intelligence,Software Engineering

Xiansheng Cao,Junfeng Wang,Peng Wu,Zhiyang Fang

DOI: https://doi.org/10.1049/2024/4313185

2024-03-22

IET Information Security

Abstract:Source code vulnerabilities are one of the significant threats to software security. Existing deep learning-based detection methods have proven their effectiveness. However, most of them extract code information on a single intermediate representation of code (IRC), which often fails to extract multiple information hidden in the code fully, significantly limiting their performance. To address this problem, we propose VulMPFF, a vulnerability detection method that fuses code features under multiple perspectives. It extracts IRC from three perspectives: code sequence, lexical and syntactic relations, and graph structure to capture the vulnerability information in the code, which effectively realizes the complementary information of multiple IRCs and improves vulnerability detection performance. Specifically, VulMPFF extracts serialized abstract syntax tree as IRC from code sequence, lexical and syntactic relation perspective, and code property graph as IRC from graph structure perspective, and uses Bi-LSTM model with attention mechanism and graph neural network with attention mechanism to learn the code features from multiple perspectives and fuse them to detect the vulnerabilities in the code, respectively. We design a dual-attention mechanism to highlight critical code information for vulnerability triggering and better accomplish the vulnerability detection task. We evaluate our approach on three datasets. Experiments show that VulMPFF outperforms existing state-of-the-art vulnerability detection methods (i.e., Rats, FlawFinder, VulDeePecker, SySeVR, Devign, and Reveal) in Acc and F1 score, with improvements ranging from 14.71% to 145.78% and 152.08% to 344.77%, respectively. Meanwhile, experiments in the open-source project demonstrate that VulMPFF has the potential to detect vulnerabilities in real-world environments.

computer science, information systems, theory & methods