Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Game Rewards Vulnerabilities: Software Vulnerability Detection with Zero-Sum Game and Prototype Learning

Xin-Cheng Wen, Cuiyun Gao, Xinchen Wang, Ruiqi Wang, Tao Zhang, Qing Liao

TL;DR

RECON tackles the challenge of vulnerability detection by separating semantic-agnostic cues from vulnerability-relevant patterns through a zero-sum game between a Detector and a Calibrator and a class-level prototype learning module. It leverages CFG-based execution paths, CodeBERT representations, and a balance-gap training strategy to stabilize optimization. Across multiple evaluation settings on the Fan et al. vulnerability dataset, RECON consistently outperforms state-of-the-art baselines, including under identifier-substitution and vulnerability-fixed pair conditions, demonstrating robustness to semantic perturbations. The work highlights the practical potential of combining game-theoretic learning with prototype-based pattern discovery to improve automated software vulnerability detection in real-world scenarios.

Abstract

Recent years have witnessed a growing focus on automated software vulnerability detection. Notably, deep learning (DL)-based methods, which employ source code for the implicit acquisition of vulnerability patterns, have demonstrated superior performance compared to other approaches. However, the DL-based approaches are still hard to capture the vulnerability-related information from the whole code snippet, since the vulnerable parts usually account for only a small proportion. As evidenced by our experiments, the approaches tend to excessively emphasize semantic information, potentially leading to limited vulnerability detection performance in practical scenarios. First, they cannot well distinguish between the code snippets before (i.e., vulnerable code) and after (i.e., non-vulnerable code) developers' fixes due to the minimal code changes. Besides, substituting user-defined identifiers with placeholders (e.g., "VAR1" and "FUN1") in obvious performance degradation at up to 14.53% with respect to the F1 score. To mitigate these issues, we propose to leverage the vulnerable and corresponding fixed code snippets, in which the minimal changes can provide hints about semantic-agnostic features for vulnerability detection. In this paper, we propose a software vulneRability dEteCtion framework with zerO-sum game and prototype learNing, named RECON. In RECON, we propose a zero-sum game construction module. Distinguishing the vulnerable code from the corresponding fixed code is regarded as one player (i.e. Calibrator), while the conventional vulnerability detection is another player (i.e. Detector) in the zero-sum game. The goal is to capture the semantic-agnostic features of the first player for enhancing the second player's performance for vulnerability detection. Experiments on the public benchmark dataset show that RECON outperforms the state-of-the-art baseline by 6.29% in F1 score.

Game Rewards Vulnerabilities: Software Vulnerability Detection with Zero-Sum Game and Prototype Learning

TL;DR

RECON tackles the challenge of vulnerability detection by separating semantic-agnostic cues from vulnerability-relevant patterns through a zero-sum game between a Detector and a Calibrator and a class-level prototype learning module. It leverages CFG-based execution paths, CodeBERT representations, and a balance-gap training strategy to stabilize optimization. Across multiple evaluation settings on the Fan et al. vulnerability dataset, RECON consistently outperforms state-of-the-art baselines, including under identifier-substitution and vulnerability-fixed pair conditions, demonstrating robustness to semantic perturbations. The work highlights the practical potential of combining game-theoretic learning with prototype-based pattern discovery to improve automated software vulnerability detection in real-world scenarios.

Abstract

Recent years have witnessed a growing focus on automated software vulnerability detection. Notably, deep learning (DL)-based methods, which employ source code for the implicit acquisition of vulnerability patterns, have demonstrated superior performance compared to other approaches. However, the DL-based approaches are still hard to capture the vulnerability-related information from the whole code snippet, since the vulnerable parts usually account for only a small proportion. As evidenced by our experiments, the approaches tend to excessively emphasize semantic information, potentially leading to limited vulnerability detection performance in practical scenarios. First, they cannot well distinguish between the code snippets before (i.e., vulnerable code) and after (i.e., non-vulnerable code) developers' fixes due to the minimal code changes. Besides, substituting user-defined identifiers with placeholders (e.g., "VAR1" and "FUN1") in obvious performance degradation at up to 14.53% with respect to the F1 score. To mitigate these issues, we propose to leverage the vulnerable and corresponding fixed code snippets, in which the minimal changes can provide hints about semantic-agnostic features for vulnerability detection. In this paper, we propose a software vulneRability dEteCtion framework with zerO-sum game and prototype learNing, named RECON. In RECON, we propose a zero-sum game construction module. Distinguishing the vulnerable code from the corresponding fixed code is regarded as one player (i.e. Calibrator), while the conventional vulnerability detection is another player (i.e. Detector) in the zero-sum game. The goal is to capture the semantic-agnostic features of the first player for enhancing the second player's performance for vulnerability detection. Experiments on the public benchmark dataset show that RECON outperforms the state-of-the-art baseline by 6.29% in F1 score.
Paper Structure (32 sections, 1 theorem, 12 equations, 8 figures, 4 tables)

This paper contains 32 sections, 1 theorem, 12 equations, 8 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Introduction
  3. Background
  4. Zero-Sum Game
  5. Prototype Learning
  6. Proposed Framework
  7. Problem Formulation
  8. Zero-sum Game Construction
  9. Class-level Prototype Learning Module
  10. Balance Gap-based Training Strategy
  11. EXPERIMENTAL Setup
  12. Reasearch Questions
  13. Datasets
  14. Baseline Methods
  15. Implementation Details
  16. ...and 17 more sections

Key Result

Lemma 1

Consider that two players are involved in a zero-sum game. The optimal solution $x$ of player $A$ and $y$ of player $B$ can be formulated as: where $x = \left[ x_{1}, x_{2},\ldots,x_{n} \right]$ and $y = \left[ y_{1}, y_{2},\ldots,y_{n} \right]$ denote the action sets for the two players, respectively, and each action is greater than or equal to zero. $\mathcal{F}(x_{i})$ and $\mathcal{G}(y_{j})$

Figures (8)

  • Figure 1: (A) A motivating example from CVE-2013-7010. The red-colored codes are vulnerable code. The green-colored codes are the corresponding fixed code. (B) The relationship of Reveal reveal and CodeT5 DBLP:conf/emnlp/0034WJH21/CodeT5 between the original and the identifier change setting. In the dataset with identifiers substituted, we map the identifiers to symbolic names (e.g., VAR1 and FUN1).
  • Figure 2: (A) A motivating example from CVE-2013-7010. The red-colored codes are vulnerable code. The green-colored codes are the corresponding fixed code. (B) The relationship of Reveal reveal and CodeT5 DBLP:conf/emnlp/0034WJH21/CodeT5 between the original and the identifier change setting. In the dataset with identifiers substituted, we map the identifiers to symbolic names (e.g., VAR1 and FUN1).
  • Figure 3: (A) An illustration of the zero-sum game. (B) An example of the prototype learning.
  • Figure 4: The architecture of RECON. RECON mainly consists of two modules: a zero-sum game construction module and a class-level prototype learning module. The code file and the corresponding fixed code are the input of RECON, including the unchanged code set $\mathcal{X}$, vulnerable code set $\mathcal{Y}$, and vulnerable-fixed code set $\mathcal{Z}$.
  • Figure 5: (A) A example from CVE-2015-8539. The red-colored code is vulnerable code. The green-colored code is the corresponding fixed code. (B) The execution path is derived from the Control Flow Graph (CFG) in the vulnerable code. (C) The execution path is derived from the CFG in the corresponding fixed code.
  • ...and 3 more figures

Theorems & Definitions (2)

  • Lemma 1: Zero-sum game shapley1964somegame
  • Definition 1: Balance Gap