隨著行動裝置的普及與軟體系統日益複雜,Android 應用程式的安全性問題日漸嚴重,程式碼漏洞成為潛在風險的重要來源。現有多數 Android 原始碼漏洞檢測研究仍倚賴傳統機器學習方法,其特徵工程仰賴專家經驗,難以有效建模複雜語意與結構資訊。近年大型語言模型(LLM)於程式碼理解任務上展現強大潛力,然而其對程式結構掌握有限,亦限制其在漏洞偵測上的表現。 本研究以開源的 Code LLaMA 為語意特徵基礎,並採用 QLoRA 技術進行高效微調,降低訓練成本與資源消耗。同時,為彌補 LLM 在結構理解上的不足,進一步引入 程式碼屬性圖(Code Property Graph,簡稱 CPG)搭配圖卷積網路(Graph Convolutional Network,簡稱 GCN)進行結構特徵學習。為提升圖神經網路的學習效率與準確性,本研究提出一套以敏感漏洞行為以及以常見漏洞露行為核心的圖裁切策略,濃縮關鍵節點與依賴關係,去除與漏洞無關的冗餘資訊。 最終,透過語意與結構特徵的融合模型進行漏洞類別分類任務,實驗結果顯 示本研究所提出之方法可以在漏洞類型多分類任務上達到 97.23% F1-score,優 於傳統基準方法(如 ACVED)約 3% 。;With the growing complexity of software systems, Android application security has become increasingly critical. Traditional vulnerability detection methods often rely on handcrafted features, limiting their ability to model complex semantics and structures in code. While Large Language Models (LLMs) like Code LLaMA excel at semantic understanding, they lack structural awareness. To address this, we apply QLoRA for efficient fine-tuning of Code LLaMA to extract semantic features with reduced resource cost. Additionally, we incorporate structural information via Code Property Graphs (CPGs) and Graph Convolutional Networks (GCNs). To improve graph learning efficiency, we propose a slicing strategy centered on vulnerability-relevant patterns, reducing noise while preserving critical dependencies. We then design a fusion model that integrates both semantic and structural features for vulnerability type classification. Experiments show our approach outperforms traditional methods (e.g., ACVED), achieving an F1-score of 3%.
