From Data Leak to Secret Misses: The Impact of Data Leakage on Secret Detection Models
Farnaz Soltaniani, Mohammad Ghafari
TL;DR
The paper investigates how data leakage from duplication in SecretBench inflates secret-detection performance and distorts real-world generalization. It formalizes secret context, duplicates, and deduplication into three evaluation scenarios (Mixed, Near Duplicate, Unique) and tests four models, including GraphCodeBERT variants, LSTM, and Random Forest. Findings show substantial degradation in MCC when duplicates are removed, with GraphCodeBERT most robust and RF most vulnerable, highlighting memorization rather than true learning in prior reports. The work emphasizes dataset hygiene and robust evaluation protocols, and provides replication resources to facilitate validation and broader adoption of leakage-resistant methods.
Abstract
Machine learning models are increasingly used for software security tasks. These models are commonly trained and evaluated on large Internet-derived datasets, which often contain duplicated or highly similar samples. When such samples are split across training and test sets, data leakage may occur, allowing models to memorize patterns instead of learning to generalize. We investigate duplication in a widely used benchmark dataset of hard coded secrets and show how data leakage can substantially inflate the reported performance of AI-based secret detectors, resulting in a misleading picture of their real-world effectiveness.
