Distinguishing Look-Alike Innocent and Vulnerable Code by Subtle
Semantic Representation Learning and Explanation
- URL: http://arxiv.org/abs/2308.11237v1
- Date: Tue, 22 Aug 2023 07:23:12 GMT
- Title: Distinguishing Look-Alike Innocent and Vulnerable Code by Subtle
Semantic Representation Learning and Explanation
- Authors: Chao Ni, Xin Yin, Kaiwen Yang, Dehai Zhao, Zhenchang Xing and Xin Xia
- Abstract summary: SVulD is a function-level semantic embedding for Vulnerability Detection along with intuitive explanations.
We conduct large-scale experiments on a widely used practical vulnerability dataset and compare it with four state-of-the-art (SOTA) approaches.
The experimental results indicate that SVulD outperforms all SOTAs with a substantial improvement.
- Score: 19.16930806875121
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Though many deep learning (DL)-based vulnerability detection approaches have
been proposed and indeed achieved remarkable performance, they still have
limitations in the generalization as well as the practical usage. More
precisely, existing DL-based approaches (1) perform negatively on prediction
tasks among functions that are lexically similar but have contrary semantics;
(2) provide no intuitive developer-oriented explanations to the detected
results. In this paper, we propose a novel approach named SVulD, a
function-level Subtle semantic embedding for Vulnerability Detection along with
intuitive explanations, to alleviate the above limitations. Specifically, SVulD
firstly trains a model to learn distinguishing semantic representations of
functions regardless of their lexical similarity. Then, for the detected
vulnerable functions, SVulD provides natural language explanations (e.g., root
cause) of results to help developers intuitively understand the
vulnerabilities. To evaluate the effectiveness of SVulD, we conduct large-scale
experiments on a widely used practical vulnerability dataset and compare it
with four state-of-the-art (SOTA) approaches by considering five performance
measures. The experimental results indicate that SVulD outperforms all SOTAs
with a substantial improvement (i.e., 23.5%-68.0% in terms of F1-score,
15.9%-134.8% in terms of PR-AUC and 7.4%-64.4% in terms of Accuracy). Besides,
we conduct a user-case study to evaluate the usefulness of SVulD for developers
on understanding the vulnerable code and the participants' feedback
demonstrates that SVulD is helpful for development practice.
Related papers
- Explainable Vulnerability Detection in C/C++ Using Edge-Aware Graph Attention Networks [0.2499907423888049]
This paper presents ExplainVulD, a graph-based framework for vulnerability detection in C/C++ code.<n>It achieves a mean accuracy of 88.25 percent and an F1 score of 48.23 percent across 30 independent runs on the ReVeal dataset.
arXiv Detail & Related papers (2025-07-22T12:49:14Z) - SAVANT: Vulnerability Detection in Application Dependencies through Semantic-Guided Reachability Analysis [6.989158266868967]
integration of open-source third-party library dependencies in Java development introduces significant security risks.<n>Savant combines semantic preprocessing with LLM-powered context analysis for accurate vulnerability detection.<n>Savant achieves 83.8% precision, 73.8% recall, 69.0% accuracy, and 78.5% F1-score, outperforming state-of-the-art SCA tools.
arXiv Detail & Related papers (2025-06-21T19:48:13Z) - R2Vul: Learning to Reason about Software Vulnerabilities with Reinforcement Learning and Structured Reasoning Distillation [11.15622721122057]
Large language models (LLMs) have shown promising performance in software vulnerability detection, yet their reasoning capabilities remain unreliable.<n>We propose R2Vul, a method that combines reinforcement learning from AI feedback (RLAIF) and structured reasoning distillation.<n>We evaluate R2Vul across five programming languages and against four static analysis tools.
arXiv Detail & Related papers (2025-04-07T03:04:16Z) - Benchmarking Reasoning Robustness in Large Language Models [76.79744000300363]
We find significant performance degradation on novel or incomplete data.
These findings highlight the reliance on recall over rigorous logical inference.
This paper introduces a novel benchmark, termed as Math-RoB, that exploits hallucinations triggered by missing information to expose reasoning gaps.
arXiv Detail & Related papers (2025-03-06T15:36:06Z) - Are We Learning the Right Features? A Framework for Evaluating DL-Based Software Vulnerability Detection Solutions [3.204048014949849]
This paper aims to provide the foundation for properly evaluating the research in this domain.
We analyze vulnerability datasets for the syntactic and semantic features of code that contribute to vulnerability.
We provide a novel, uniform representation to capture both sets of features, and use this representation to detect the presence of both vulnerability and spurious features in code.
arXiv Detail & Related papers (2025-01-23T00:32:15Z) - StagedVulBERT: Multi-Granular Vulnerability Detection with a Novel Pre-trained Code Model [13.67394549308693]
This study introduces StagedVulBERT, a novel vulnerability detection framework.
CodeBERT-HLS component is designed to capture semantics at both the token and statement levels simultaneously.
In coarse-grained vulnerability detection, StagedVulBERT achieves an F1 score of 92.26%, marking a 6.58% improvement over the best-performing methods.
arXiv Detail & Related papers (2024-10-08T07:46:35Z) - SAFE: Advancing Large Language Models in Leveraging Semantic and Syntactic Relationships for Software Vulnerability Detection [23.7268575752712]
Software vulnerabilities (SVs) have emerged as a prevalent and critical concern for safety-critical security systems.
We propose a novel framework that enhances the capability of large language models to learn and utilize semantic and syntactic relationships from source code data for SVD.
arXiv Detail & Related papers (2024-09-02T00:49:02Z) - Revisiting the Performance of Deep Learning-Based Vulnerability Detection on Realistic Datasets [4.385369356819613]
This paper introduces Real-Vul, a dataset representing real-world scenarios for evaluating vulnerability detection models.
evaluating DeepWukong, LineVul, ReVeal, and IVDetect shows a significant drop in performance, with precision decreasing by up to 95 percentage points and F1 scores by up to 91 points.
Overfitting is identified as a key issue, and an augmentation technique is proposed, potentially improving performance by up to 30%.
arXiv Detail & Related papers (2024-07-03T13:34:30Z) - Provably Neural Active Learning Succeeds via Prioritizing Perplexing Samples [53.95282502030541]
Neural Network-based active learning (NAL) is a cost-effective data selection technique that utilizes neural networks to select and train on a small subset of samples.
We try to move one step forward by offering a unified explanation for the success of both query criteria-based NAL from a feature learning view.
arXiv Detail & Related papers (2024-06-06T10:38:01Z) - Vulnerability Detection with Code Language Models: How Far Are We? [40.455600722638906]
PrimeVul is a new dataset for training and evaluating code LMs for vulnerability detection.
It incorporates a novel set of data labeling techniques that achieve comparable label accuracy to human-verified benchmarks.
It also implements a rigorous data de-duplication and chronological data splitting strategy to mitigate data leakage issues.
arXiv Detail & Related papers (2024-03-27T14:34:29Z) - SliceLocator: Locating Vulnerable Statements with Graph-based Detectors [33.395068754566935]
SliceLocator identifies the most relevant taint flow by selecting the highest-weighted flow path from all potential vulnerability-triggering statements.
We demonstrate that SliceLocator consistently performs well on four state-of-the-art GNN-based vulnerability detectors.
arXiv Detail & Related papers (2024-01-05T10:15:04Z) - Beyond Fidelity: Explaining Vulnerability Localization of Learning-based
Detectors [10.316819421902363]
Vulnerability detectors based on deep learning (DL) models have proven their effectiveness in recent years.
The shroud of opacity surrounding the decision-making process of these detectors makes it difficult for security analysts to comprehend.
We evaluate the performance of ten explanation approaches for vulnerability detectors based on graph and sequence representations.
arXiv Detail & Related papers (2024-01-05T07:37:35Z) - Understanding Before Recommendation: Semantic Aspect-Aware Review Exploitation via Large Language Models [53.337728969143086]
Recommendation systems harness user-item interactions like clicks and reviews to learn their representations.
Previous studies improve recommendation accuracy and interpretability by modeling user preferences across various aspects and intents.
We introduce a chain-based prompting approach to uncover semantic aspect-aware interactions.
arXiv Detail & Related papers (2023-12-26T15:44:09Z) - XAL: EXplainable Active Learning Makes Classifiers Better Low-resource Learners [71.8257151788923]
We propose a novel Explainable Active Learning framework (XAL) for low-resource text classification.
XAL encourages classifiers to justify their inferences and delve into unlabeled data for which they cannot provide reasonable explanations.
Experiments on six datasets show that XAL achieves consistent improvement over 9 strong baselines.
arXiv Detail & Related papers (2023-10-09T08:07:04Z) - Improving the Adversarial Robustness of NLP Models by Information
Bottleneck [112.44039792098579]
Non-robust features can be easily manipulated by adversaries to fool NLP models.
In this study, we explore the feasibility of capturing task-specific robust features, while eliminating the non-robust ones by using the information bottleneck theory.
We show that the models trained with our information bottleneck-based method are able to achieve a significant improvement in robust accuracy.
arXiv Detail & Related papers (2022-06-11T12:12:20Z) - VELVET: a noVel Ensemble Learning approach to automatically locate
VulnErable sTatements [62.93814803258067]
This paper presents VELVET, a novel ensemble learning approach to locate vulnerable statements in source code.
Our model combines graph-based and sequence-based neural networks to successfully capture the local and global context of a program graph.
VELVET achieves 99.6% and 43.6% top-1 accuracy over synthetic data and real-world data, respectively.
arXiv Detail & Related papers (2021-12-20T22:45:27Z) - Exploring Robustness of Unsupervised Domain Adaptation in Semantic
Segmentation [74.05906222376608]
We propose adversarial self-supervision UDA (or ASSUDA) that maximizes the agreement between clean images and their adversarial examples by a contrastive loss in the output space.
This paper is rooted in two observations: (i) the robustness of UDA methods in semantic segmentation remains unexplored, which pose a security concern in this field; and (ii) although commonly used self-supervision (e.g., rotation and jigsaw) benefits image tasks such as classification and recognition, they fail to provide the critical supervision signals that could learn discriminative representation for segmentation tasks.
arXiv Detail & Related papers (2021-05-23T01:50:44Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.