Toward Improved Deep Learning-based Vulnerability Detection
Adriana Sejfia, Satyaki Das, Saad Shafiq, Nenad Medvidović
TL;DR
This paper defines multi-base-unit (MBU) vulnerabilities and demonstrates that leading DL-based vulnerability detectors (ReVeal, DeepWukong, LineVul) are not trained or evaluated in a realistic manner when MBUs are considered. It introduces a framework comprising Patch Collector, Patch Cleaner, MBU Vulnerability Identifier, and Accuracy Calculator to identify MBUs, remove noise, and report per-vulnerability metrics, revealing that MBUs are prevalent and degrade detection performance when evaluated holistically. The work shows that standard training/evaluation practices overestimate detector effectiveness and offers a practical pathway to more realistic assessments, which is essential for downstream security tasks such as patch generation and vulnerability mitigation. The framework and findings motivate rethinking data collection, labeling, and reporting to better account for MBUs and improve real-world vulnerability detection.
Abstract
Deep learning (DL) has been a common thread across several recent techniques for vulnerability detection. The rise of large, publicly available datasets of vulnerabilities has fueled the learning process underpinning these techniques. While these datasets help the DL-based vulnerability detectors, they also constrain these detectors' predictive abilities. Vulnerabilities in these datasets have to be represented in a certain way, e.g., code lines, functions, or program slices within which the vulnerabilities exist. We refer to this representation as a base unit. The detectors learn how base units can be vulnerable and then predict whether other base units are vulnerable. We have hypothesized that this focus on individual base units harms the ability of the detectors to properly detect those vulnerabilities that span multiple base units (or MBU vulnerabilities). For vulnerabilities such as these, a correct detection occurs when all comprising base units are detected as vulnerable. Verifying how existing techniques perform in detecting all parts of a vulnerability is important to establish their effectiveness for other downstream tasks. To evaluate our hypothesis, we conducted a study focusing on three prominent DL-based detectors: ReVeal, DeepWukong, and LineVul. Our study shows that all three detectors contain MBU vulnerabilities in their respective datasets. Further, we observed significant accuracy drops when detecting these types of vulnerabilities. We present our study and a framework that can be used to help DL-based detectors toward the proper inclusion of MBU vulnerabilities.