Data Quality Issues in Vulnerability Detection Datasets

TL;DR

This paper defines three critical issues (data imbalance, low vulnerability coverage, and biased vulnerability distribution) and three secondary issues (errors in source code, mislabeling, and noisy historical data) that can affect the model performance that can lead to low detection accuracy of DL models.

Abstract

Vulnerability detection is a crucial yet challenging task to identify potential weaknesses in software for cyber security. Recently, deep learning (DL) has made great progress in automating the detection process. Due to the complex multi-layer structure and a large number of parameters, a DL model requires massive labeled (vulnerable or secure) source code to gain knowledge to effectively distinguish between vulnerable and secure code. In the literature, many datasets have been created to train DL models for this purpose. However, these datasets suffer from several issues that will lead to low detection accuracy of DL models. In this paper, we define three critical issues (i.e., data imbalance, low vulnerability coverage, biased vulnerability distribution) that can significantly affect the model performance and three secondary issues (i.e., errors in source code, mislabeling, noisy historical data) that also affect the performance but can be addressed through a dedicated pre-processing procedure. In addition, we conduct a study of 14 papers along with 54 datasets for vulnerability detection to confirm these defined issues. Furthermore, we discuss good practices to use existing datasets and to create new ones.

Figures (3)

• Figure 1: Number of vulnerable and secure codes provided by each reference. $x$-axis shows the project that the data are extracted from.
• Figure 2: Vulnerability distribution in each dataset provided by lin2018cross. Each color represents the vulnerability ID in Table \ref{['tab:vul_type']} and the numeral text indicates the percentage of source code.
• Figure 3: An example of mislabeling.