Abstract
Vulnerability detection (VD) techniques are critical to software security and have been widely studied. Many recent research works have proposed VD approaches built with deep learning models and achieved state-of-the-art performance. However, due to the black-box characteristic of deep learning, these approaches typically have poor interpretability, making it challenging for analysts to understand the causes and mechanisms behind vulnerabilities. Although a few strategies have been presented to improve the interpretability of deep learning models, their outputs are still difficult to understand for those with little machine learning knowledge. In this study, we propose IVDM, an Interpretable Vulnerability Detection Framework Based on Multi-task Learning. IVDM integrates the VD and explanation generation tasks into a multi-task learning mechanism. It can generate explanations of the detected vulnerabilities in the form of natural language while performing the VD task. Compared with existing methods, the explanations outputted by IVDM are easier to understand. Moreover, IVDM is trained based on a large-scale pre-trained model, which brings it the cross-programming-language VD ability. Experimental results conducted on both a dataset collected by ourselves and public datasets have demonstrated the effectiveness and rationality of IVDM.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Cao, S., Sun, X., Bo, L., Wei, Y., Li, B.: Bgnn4vd: constructing bidirectional graph neural-network for vulnerability detection. Inf. Softw. Technol. 136, 106576 (2021)
Wartschinski, L., Noller, Y., Vogel, T., Kehrer, T., Grunske, L.: VUDENC: vulnerability detection with deep learning on a natural codebase for python. Inf. Softw. Technol. 144, 106809 (2022)
Hin, D., Kan, A., Chen, H., Babar, M.A.: LineVD: statement-level vulnerability detection using graph neural networks. In: Proceedings of the 19th International Conference on Mining Software Repositories, pp. 596–607 (2022)
Napier, K., Bhowmik, T., Wang, S.: An empirical study of text-based machine learning models for vulnerability detection. Empir. Softw. Eng. 28(2), 38 (2023)
Sun, H., et al.: VDSimilar: vulnerability detection based on code similarity of vulnerabilities and patches. Comput. Secur. 110, 102417 (2021)
Wu, Y., Zou, D., Dou, S., Yang, W., Xu, D., Jin, H.: VulCNN: an image-inspired scalable vulnerability detection system. In: Proceedings of the 44th International Conference on Software Engineering, pp. 2365–2376 (2022)
Yan, G., Chen, S., Bail, Y., Li, X.: Can deep learning models learn the vulnerable patterns for vulnerability detection? In: 2022 IEEE 46th Annual Computers, Software, and Applications Conference (COMPSAC), pp. 904–913. IEEE (2022)
Guo, D., Lu, S., Duan, N., Wang, Y., Zhou, M., Yin, J.: UniXcoder: unified cross-modal pre-training for code representation. In: Muresan, S., Nakov, P., Villavi-cencio, A. (eds.) Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), ACL 2022, Dublin, Ireland, 22–27 May 2022, pp. 7212–7225. Association for Computational Linguistics (2022). https://doi.org/10.18653/v1/2022.acl-long.499
Kronjee, J., Hommersom, A., Vranken, H.: Discovering software vulnerabilities using data-flow analysis and machine learning. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, pp. 1–10 (2018)
Ren, J., Zheng, Z., Liu, Q., Wei, Z., Yan, H.: A buffer overflow prediction approach based on software metrics and machine learning. Secur. Commun. Netw. 2019 (2019)
Dam, H.K., Tran, T., Pham, T., Ng, S.W., Grundy, J., Ghose, A.: Automatic feature learning for predicting vulnerable software components. IEEE Trans. Software Eng. 47(1), 67–85 (2018)
Li, Z., et al.: VulDeePecker: a deep learning-based system for vulnerability detection. In: 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, 18–21 February 2018, The Internet Society (2018)
Li, Z., Zou, D., Xu, S., Jin, H., Zhu, Y., Chen, Z.: SySeVR: a framework for using deep learning to detect software vulnerabilities. IEEE Trans. Dependable Secure Comput. 19(4), 2244–2258 (2021)
Zhou, Y., Liu, S., Siow, J., Du, X., Liu, Y.: Devign: effective vulnerability identification by learning comprehensive program semantics via graph neural networks. In: Advances in Neural Information Processing Systems, vol. 32 (2019)
Cheng, X., Wang, H., Hua, J., Xu, G., Sui, Y.: DeepWukong: statically detecting software vulnerabilities using deep graph neural network. ACM Trans. Softw. Eng. Methodol. (TOSEM) 30(3), 1–33 (2021)
Luo, D.: Parameterized explainer for graph neural network. Adv. Neural. Inf. Process. Syst. 33, 19620–19631 (2020)
Ying, Z., Bourgeois, D., You, J., Zitnik, M., Leskovec, J.: GNNExplainer: generating explanations for graph neural networks. In: Advances in Neural Information Processing Systems, vol. 32 (2019)
Zou, D., Zhu, Y., Xu, S., Li, Z., Jin, H., Ye, H.: Interpreting deep learning-based vulnerability detector predictions based on heuristic searching. ACM Trans. Softw. Eng. Methodol. (TOSEM) 30(2), 1–31 (2021)
Li, Y., Wang, S., Nguyen, T.N.: Vulnerability detection with fine-grained interpretations. In: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 292–303 (2021)
Feng, Z., et al.: CodeBERT: a pre-trained model for programming and natural languages. In: Cohn, T., He, Y., Liu, Y. (eds.) Findings of the Association for Computational Linguistics: EMNLP 2020, Online Event, 16–20 November 2020. Findings of ACL, vol. EMNLP 2020, pp. 1536–1547. Association for Computational Linguistics (2020). https://doi.org/10.18653/v1/2020.findings-emnlp.139
Ahmad, W.U., Chakraborty, S., Ray, B., Chang, K.: Unified pre-training for program understanding and generation. In: Toutanova, K., et al. (eds.) Proceedings of the 2021 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, NAACL-HLT 2021, 6–11 June 2021, pp. 2655–2668. Association for Computational Linguistics (2021). https://doi.org/10.18653/v1/2021.naacl-main.211
Hanif, H., Maffeis, S.: VulBERTa: simplified source code pre-training for vulnerability detection. In: 2022 International Joint Conference on Neural Networks (IJCNN), pp. 1–8. IEEE (2022)
Lin, G., et al.: Cross-project transfer representation learning for vulnerable function discovery. IEEE Trans. Industr. Inf. 14(7), 3289–3297 (2018)
Webb, G.I., Keogh, E., Miikkulainen, R.: Naïve bayes. Encyclopedia Mach. Learn. 15, 713–714 (2010)
Rigatti, S.J.: Random forest. J. Insur. Med. 47(1), 31–39 (2017)
Noble, W.S.: What is a support vector machine? Nat. Biotechnol. 24(12), 1565–1567 (2006)
Chen, Y.: Convolutional neural network for sentence classification. Master’s thesis, University of Waterloo (2015)
Van Houdt, G., Mosquera, C., Nápoles, G.: A review on the long short-term memory model. Artif. Intell. Rev. 53, 5929–5955 (2020)
Nguyen, V.A., Nguyen, D.Q., Nguyen, V., Le, T., Tran, Q.H., Phung, D.: ReGVD: revisiting graph neural networks for vulnerability detection. In: Proceedings of the ACM/IEEE 44th International Conference on Software Engineering: Companion Proceedings, pp. 178–182 (2022)
Guo, W., Fang, Y., Huang, C., Ou, H., Lin, C., Guo, Y.: HyVulDect: a hybrid semantic vulnerability mining system based on graph neural network. Comput. Secur. 121, 102823 (2022)
Wang, Y., Wang, W., Joty, S., Hoi, S.C.: Codet 5: identifier-aware unified pre-trained encoder-decoder models for code understanding and generation. arXiv preprint arXiv:2109.00859 (2021)
Wang, Y., Dong, Y., Lu, X., Zhou, A.: Gypsum: learning hybrid representations for code summarization. In: Proceedings of the 30th IEEE/ACM International Conference on Program Comprehension, pp. 12–23 (2022)
Acknowledgements
This work was supported in part by the Shandong Provincial Natural Science Foundation of China under Grant ZR2022MF295 and Grant ZR2022MF257, in part by the Pilot Project for Integrated Innovation of Science, Education and Industry of Qilu University of Technology (Shandong Academy of Sciences) under Grant 2022JBZ01-01, in part by the Fundamental Research Promotion Plan of Qilu University of Technology (Shandong Academy of Sciences) under Grant 2021JC02020, and in part by the Joint Open Project of Shandong Computer Society and Provincial Key Laboratory under Grant SKLCN-2021-03.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Liu, M., Han, X., Zuo, W., Luo, X., Guo, L. (2024). An Interpretable Vulnerability Detection Framework Based on Multi-task Learning. In: Luo, B., Cheng, L., Wu, ZG., Li, H., Li, C. (eds) Neural Information Processing. ICONIP 2023. Communications in Computer and Information Science, vol 1967. Springer, Singapore. https://doi.org/10.1007/978-981-99-8178-6_18
Download citation
DOI: https://doi.org/10.1007/978-981-99-8178-6_18
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-8177-9
Online ISBN: 978-981-99-8178-6
eBook Packages: Computer ScienceComputer Science (R0)