Skip to main content
SpringerLink
Log in

An Interpretable Vulnerability Detection Framework Based on Multi-task Learning

  • Conference paper
  • First Online:
Neural Information Processing (ICONIP 2023)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1967))

Included in the following conference series:

  • 429 Accesses

Abstract

Vulnerability detection (VD) techniques are critical to software security and have been widely studied. Many recent research works have proposed VD approaches built with deep learning models and achieved state-of-the-art performance. However, due to the black-box characteristic of deep learning, these approaches typically have poor interpretability, making it challenging for analysts to understand the causes and mechanisms behind vulnerabilities. Although a few strategies have been presented to improve the interpretability of deep learning models, their outputs are still difficult to understand for those with little machine learning knowledge. In this study, we propose IVDM, an Interpretable Vulnerability Detection Framework Based on Multi-task Learning. IVDM integrates the VD and explanation generation tasks into a multi-task learning mechanism. It can generate explanations of the detected vulnerabilities in the form of natural language while performing the VD task. Compared with existing methods, the explanations outputted by IVDM are easier to understand. Moreover, IVDM is trained based on a large-scale pre-trained model, which brings it the cross-programming-language VD ability. Experimental results conducted on both a dataset collected by ourselves and public datasets have demonstrated the effectiveness and rationality of IVDM.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Cao, S., Sun, X., Bo, L., Wei, Y., Li, B.: Bgnn4vd: constructing bidirectional graph neural-network for vulnerability detection. Inf. Softw. Technol. 136, 106576 (2021)

    Article  Google Scholar 

  2. Wartschinski, L., Noller, Y., Vogel, T., Kehrer, T., Grunske, L.: VUDENC: vulnerability detection with deep learning on a natural codebase for python. Inf. Softw. Technol. 144, 106809 (2022)

    Article  Google Scholar 

  3. Hin, D., Kan, A., Chen, H., Babar, M.A.: LineVD: statement-level vulnerability detection using graph neural networks. In: Proceedings of the 19th International Conference on Mining Software Repositories, pp. 596–607 (2022)

    Google Scholar 

  4. Napier, K., Bhowmik, T., Wang, S.: An empirical study of text-based machine learning models for vulnerability detection. Empir. Softw. Eng. 28(2), 38 (2023)

    Article  Google Scholar 

  5. Sun, H., et al.: VDSimilar: vulnerability detection based on code similarity of vulnerabilities and patches. Comput. Secur. 110, 102417 (2021)

    Article  Google Scholar 

  6. Wu, Y., Zou, D., Dou, S., Yang, W., Xu, D., Jin, H.: VulCNN: an image-inspired scalable vulnerability detection system. In: Proceedings of the 44th International Conference on Software Engineering, pp. 2365–2376 (2022)

    Google Scholar 

  7. Yan, G., Chen, S., Bail, Y., Li, X.: Can deep learning models learn the vulnerable patterns for vulnerability detection? In: 2022 IEEE 46th Annual Computers, Software, and Applications Conference (COMPSAC), pp. 904–913. IEEE (2022)

    Google Scholar 

  8. Guo, D., Lu, S., Duan, N., Wang, Y., Zhou, M., Yin, J.: UniXcoder: unified cross-modal pre-training for code representation. In: Muresan, S., Nakov, P., Villavi-cencio, A. (eds.) Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), ACL 2022, Dublin, Ireland, 22–27 May 2022, pp. 7212–7225. Association for Computational Linguistics (2022). https://doi.org/10.18653/v1/2022.acl-long.499

  9. Kronjee, J., Hommersom, A., Vranken, H.: Discovering software vulnerabilities using data-flow analysis and machine learning. In: Proceedings of the 13th International Conference on Availability, Reliability and Security, pp. 1–10 (2018)

    Google Scholar 

  10. Ren, J., Zheng, Z., Liu, Q., Wei, Z., Yan, H.: A buffer overflow prediction approach based on software metrics and machine learning. Secur. Commun. Netw. 2019 (2019)

    Google Scholar 

  11. Dam, H.K., Tran, T., Pham, T., Ng, S.W., Grundy, J., Ghose, A.: Automatic feature learning for predicting vulnerable software components. IEEE Trans. Software Eng. 47(1), 67–85 (2018)

    Article  Google Scholar 

  12. Li, Z., et al.: VulDeePecker: a deep learning-based system for vulnerability detection. In: 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, 18–21 February 2018, The Internet Society (2018)

    Google Scholar 

  13. Li, Z., Zou, D., Xu, S., Jin, H., Zhu, Y., Chen, Z.: SySeVR: a framework for using deep learning to detect software vulnerabilities. IEEE Trans. Dependable Secure Comput. 19(4), 2244–2258 (2021)

    Article  Google Scholar 

  14. Zhou, Y., Liu, S., Siow, J., Du, X., Liu, Y.: Devign: effective vulnerability identification by learning comprehensive program semantics via graph neural networks. In: Advances in Neural Information Processing Systems, vol. 32 (2019)

    Google Scholar 

  15. Cheng, X., Wang, H., Hua, J., Xu, G., Sui, Y.: DeepWukong: statically detecting software vulnerabilities using deep graph neural network. ACM Trans. Softw. Eng. Methodol. (TOSEM) 30(3), 1–33 (2021)

    Article  Google Scholar 

  16. Luo, D.: Parameterized explainer for graph neural network. Adv. Neural. Inf. Process. Syst. 33, 19620–19631 (2020)

    Google Scholar 

  17. Ying, Z., Bourgeois, D., You, J., Zitnik, M., Leskovec, J.: GNNExplainer: generating explanations for graph neural networks. In: Advances in Neural Information Processing Systems, vol. 32 (2019)

    Google Scholar 

  18. Zou, D., Zhu, Y., Xu, S., Li, Z., Jin, H., Ye, H.: Interpreting deep learning-based vulnerability detector predictions based on heuristic searching. ACM Trans. Softw. Eng. Methodol. (TOSEM) 30(2), 1–31 (2021)

    Article  Google Scholar 

  19. Li, Y., Wang, S., Nguyen, T.N.: Vulnerability detection with fine-grained interpretations. In: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 292–303 (2021)

    Google Scholar 

  20. Feng, Z., et al.: CodeBERT: a pre-trained model for programming and natural languages. In: Cohn, T., He, Y., Liu, Y. (eds.) Findings of the Association for Computational Linguistics: EMNLP 2020, Online Event, 16–20 November 2020. Findings of ACL, vol. EMNLP 2020, pp. 1536–1547. Association for Computational Linguistics (2020). https://doi.org/10.18653/v1/2020.findings-emnlp.139

  21. Ahmad, W.U., Chakraborty, S., Ray, B., Chang, K.: Unified pre-training for program understanding and generation. In: Toutanova, K., et al. (eds.) Proceedings of the 2021 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, NAACL-HLT 2021, 6–11 June 2021, pp. 2655–2668. Association for Computational Linguistics (2021). https://doi.org/10.18653/v1/2021.naacl-main.211

  22. Hanif, H., Maffeis, S.: VulBERTa: simplified source code pre-training for vulnerability detection. In: 2022 International Joint Conference on Neural Networks (IJCNN), pp. 1–8. IEEE (2022)

    Google Scholar 

  23. Lin, G., et al.: Cross-project transfer representation learning for vulnerable function discovery. IEEE Trans. Industr. Inf. 14(7), 3289–3297 (2018)

    Article  Google Scholar 

  24. Webb, G.I., Keogh, E., Miikkulainen, R.: Naïve bayes. Encyclopedia Mach. Learn. 15, 713–714 (2010)

    Google Scholar 

  25. Rigatti, S.J.: Random forest. J. Insur. Med. 47(1), 31–39 (2017)

    Article  Google Scholar 

  26. Noble, W.S.: What is a support vector machine? Nat. Biotechnol. 24(12), 1565–1567 (2006)

    Article  Google Scholar 

  27. Chen, Y.: Convolutional neural network for sentence classification. Master’s thesis, University of Waterloo (2015)

    Google Scholar 

  28. Van Houdt, G., Mosquera, C., Nápoles, G.: A review on the long short-term memory model. Artif. Intell. Rev. 53, 5929–5955 (2020)

    Article  Google Scholar 

  29. Nguyen, V.A., Nguyen, D.Q., Nguyen, V., Le, T., Tran, Q.H., Phung, D.: ReGVD: revisiting graph neural networks for vulnerability detection. In: Proceedings of the ACM/IEEE 44th International Conference on Software Engineering: Companion Proceedings, pp. 178–182 (2022)

    Google Scholar 

  30. Guo, W., Fang, Y., Huang, C., Ou, H., Lin, C., Guo, Y.: HyVulDect: a hybrid semantic vulnerability mining system based on graph neural network. Comput. Secur. 121, 102823 (2022)

    Article  Google Scholar 

  31. Wang, Y., Wang, W., Joty, S., Hoi, S.C.: Codet 5: identifier-aware unified pre-trained encoder-decoder models for code understanding and generation. arXiv preprint arXiv:2109.00859 (2021)

  32. Wang, Y., Dong, Y., Lu, X., Zhou, A.: Gypsum: learning hybrid representations for code summarization. In: Proceedings of the 30th IEEE/ACM International Conference on Program Comprehension, pp. 12–23 (2022)

    Google Scholar 

Download references

Acknowledgements

This work was supported in part by the Shandong Provincial Natural Science Foundation of China under Grant ZR2022MF295 and Grant ZR2022MF257, in part by the Pilot Project for Integrated Innovation of Science, Education and Industry of Qilu University of Technology (Shandong Academy of Sciences) under Grant 2022JBZ01-01, in part by the Fundamental Research Promotion Plan of Qilu University of Technology (Shandong Academy of Sciences) under Grant 2021JC02020, and in part by the Joint Open Project of Shandong Computer Society and Provincial Key Laboratory under Grant SKLCN-2021-03.

Author information

Authors and Affiliations

  1. Key Laboratory of Computing Power Network and Information Security, Ministry of Education, Shandong Computer Science Center (National Supercomputer Center in Jinan), Qilu University of Technology (Shandong Academy of Sciences), Jinan, China

    Meng Liu, Xiaohui Han, Wenbo Zuo & Xuejiao Luo

  2. Shandong Provincial Key Laboratory of Computer Networks, Shandong Fundamental Research Center for Computer Science, Jinan, China

    Xiaohui Han & Wenbo Zuo

  3. Quan Cheng Laboratory, Jinan, China

    Xiaohui Han

  4. Shandong Normal University, Jinan, China

    Lei Guo

Authors
  1. Meng Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Xiaohui Han
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wenbo Zuo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xuejiao Luo
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Lei Guo
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Xiaohui Han .

Editor information

Editors and Affiliations

  1. Changsha, China

    Biao Luo

  2. Institute of Automation, Chinese Academy of Sciences, Beijing, China

    Long Cheng

  3. Institute of Cyber-Systems and Control, Zhejiang University, Hangzhou, China

    Zheng-Guang Wu

  4. School of Automation, Guangdong University of Technology, Guangdong, China

    Hongyi Li

  5. UNSW Sydney, Sydney, NSW, Australia

    Chaojie Li

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Liu, M., Han, X., Zuo, W., Luo, X., Guo, L. (2024). An Interpretable Vulnerability Detection Framework Based on Multi-task Learning. In: Luo, B., Cheng, L., Wu, ZG., Li, H., Li, C. (eds) Neural Information Processing. ICONIP 2023. Communications in Computer and Information Science, vol 1967. Springer, Singapore. https://doi.org/10.1007/978-981-99-8178-6_18

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-8178-6_18

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-8177-9

  • Online ISBN: 978-981-99-8178-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation