VulReaD: Knowledge-Graph-guided Software Vulnerability Reasoning and Detection

TL;DR

VulReaD introduces a knowledge-graph-guided method for software vulnerability detection that enhances CWE-level reasoning, interpretability, and outperforms existing models in real-world datasets.

Contribution

It presents a novel approach combining knowledge graphs and large language models for CWE-aligned vulnerability reasoning without manual annotations.

Findings

Improves binary F1 by 8-10% over baselines.

Increases multi-class Macro-F1 by 30%.

Enhances CWE coverage and interpretability.

Abstract

Software vulnerability detection (SVD) is a critical challenge in modern systems. Large language models (LLMs) offer natural-language explanations alongside predictions, but most work focuses on binary evaluation, and explanations often lack semantic consistency with Common Weakness Enumeration (CWE) categories. We propose VulReaD, a knowledge-graph-guided approach for vulnerability reasoning and detection that moves beyond binary classification toward CWE-level reasoning. VulReaD leverages a security knowledge graph (KG) as a semantic backbone and uses a strong teacher LLM to generate CWE-consistent contrastive reasoning supervision, enabling student model training without manual annotations. Students are fine-tuned with Odds Ratio Preference Optimization (ORPO) to encourage taxonomy-aligned reasoning while suppressing unsupported explanations. Across three real-world datasets, VulReaD improves binary F1 by 8-10% and multi-class classification by 30% Macro-F1 and 18% Micro-F1 compared to state-of-the-art baselines. Results show that LLMs outperform deep learning baselines in binary detection and that KG-guided reasoning enhances CWE coverage and interpretability.