M2CVD: Enhancing Vulnerability Semantic through Multi-Model Collaboration for Code Vulnerability Detection

TL;DR

M2CVD addresses the challenge of learning vulnerability semantics in code by coordinating a pre-trained code model with a large language model to generate and refine vulnerability descriptions that guide detection. The approach uses a three-phase process: initial detection, vulnerability-description refinement, and integrated detection, leveraging LLM-driven semantics to augment the code model and a refined code-model signal to improve LLM guidance. Empirical results on Devign and REVEAL show that M2CVD outperforms seven baselines, with notable gains from description refinement and cross-model hints, and it demonstrates strong generalization across different code models and LLMs. The work provides a scalable framework for collaborative vulnerability detection and offers open-source replication tofacilitate adoption and further research.

Abstract

Large Language Models (LLMs) have strong capabilities in code comprehension, but fine-tuning costs and semantic alignment issues limit their project-specific optimization; conversely, code models such CodeBERT are easy to fine-tune, but it is often difficult to learn vulnerability semantics from complex code languages. To address these challenges, this paper introduces the Multi-Model Collaborative Vulnerability Detection approach (M2CVD) that leverages the strong capability of analyzing vulnerability semantics from LLMs to improve the detection accuracy of code models. M2CVD employs a novel collaborative process: first enhancing the quality of vulnerability semantic description produced by LLMs through the understanding of project code by code models, and then using these improved vulnerability semantic description to boost the detection accuracy of code models. We demonstrated M2CVD's effectiveness on two real-world datasets, where M2CVD significantly outperformed the baseline. In addition, we demonstrate that the M2CVD collaborative method can extend to other different LLMs and code models to improve their accuracy in vulnerability detection tasks.

Figures (8)

• Figure 1: Existing vulnerability detection method processes based on code model fine-tuning and interactive vulnerability detection processes based on large language models.
• Figure 2: The framework of M2CVD, which mainly contains three phase: 1. Initial vulnerability detection; 2. vulnerability description refinement and 3. Integrated vulnerability detection. The detection model uses historical vulnerability data to fine-tune, and then fine-tunes the validation model after the historical vulnerability data is supplemented by vulnerability semantics in phase 1 and phase 2.
• Figure 3: Comparison of the performance of different models in dataset Devign. (a) shows the number of vulnerabilities detected by the M2CVD, TRACED, and UniXcoder models. (b) shows the number of missed vulnerabilities by each model.
• Figure 4: Effects of vulnerability description refinement for M2CVD. The figure shows the improvement of the detection effect after CodeBert and UnixCoder pass the two stages of M2CVD, respectively.
• Figure 5: Effects of different code models and LLMs. The figure shows the detection performance improvement of CodeBert and UnixCoder by the vulnerability description models provided by different LLMS, respectively.