Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
167 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Deep Learning-Based Out-of-distribution Source Code Data Identification: How Far Have We Gone? (2404.05964v2)

Published 9 Apr 2024 in cs.CR

Abstract: Software vulnerabilities (SVs) have become a common, serious, and crucial concern to safety-critical security systems. That leads to significant progress in the use of AI-based methods for software vulnerability detection (SVD). In practice, although AI-based methods have been achieving promising performances in SVD and other domain applications (e.g., computer vision), they are well-known to fail in detecting the ground-truth label of input data (referred to as out-of-distribution, OOD, data) lying far away from the training data distribution (i.e., in-distribution, ID). This drawback leads to serious issues where the models fail to indicate when they are likely mistaken. To address this problem, OOD detectors (i.e., determining whether an input is ID or OOD) have been applied before feeding the input data to the downstream AI-based modules. While OOD detection has been widely designed for computer vision and medical diagnosis applications, automated AI-based techniques for OOD source code data detection have not yet been well-studied and explored. To this end, in this paper, we propose an innovative deep learning-based approach addressing the OOD source code data identification problem. Our method is derived from an information-theoretic perspective with the use of innovative cluster-contrastive learning to effectively learn and leverage source code characteristics, enhancing data representation learning for solving the problem. The rigorous and comprehensive experiments on real-world source code datasets show the effectiveness and advancement of our approach compared to state-of-the-art baselines by a wide margin. In short, on average, our method achieves a significantly higher performance from around 15.27%, 7.39%, and 4.93% on the FPR, AUROC, and AUPR measures, respectively, in comparison with the baselines.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (78)
  1. S. Neuhaus, T. Zimmermann, C. Holler, and A. Zeller, “Predicting vulnerable software components,” The ACM Conference on Computer and Communications Security, 2007.
  2. Y. Shin, A. Meneely, L. Williams, and J. A. Osborne, “Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities,” IEEE Transactions on Software Engineering, vol. 37, no. 6, pp. 772–787, 2011.
  3. F. Yamaguchi, F. Lindner, and K. Rieck, “Vulnerability extrapolation: assisted discovery of vulnerabilities using machine learning,” The USENIX conference on Offensive Technologies, pp. 13–23, 2011.
  4. G. Grieco, G. L. Grinblat, L. Uzal, S. Rawat, J. Feist, and L. Mounier, “Toward large-scale vulnerability discovery using machine learning,” The ACM Conference on Data and Application Security and Privacy, pp. 85–96, 2016.
  5. Z. Li, D. Zou, S. Xu, H. Jin, H. Qi, and J. Hu, “Vulpecker: An automated vulnerability detection system based on code similarity analysis,” The Annual Conference on Computer Security Applications, pp. 201–213, 2016.
  6. S. Kim, S. Woo, H. Lee, and H. Oh, “VUDDY: A scalable approach for vulnerable code clone discovery,” The IEEE Symposium on Security and Privacy, pp. 595–614, 2017.
  7. Z. Li, D. Zou, S. Xu, X. Ou, H. Jin, S. Wang, Z. Deng, and Y. Zhong, “Vuldeepecker: A deep learning-based system for vulnerability detection,” CoRR, vol. abs/1801.01681, 2018.
  8. X. Duan, J. Wu, S. Ji, Z. Rui, T. Luo, M. Yang, and Y. Wu, “Vulsniper: Focus your attention to shoot fine-grained vulnerabilities,” The International Joint Conference on Artificial Intelligence, IJCAI, pp. 4665–4671, 2019.
  9. X. Cheng, H. Wang, J. Hua, M. Zhang, G. Xu, L. Yi, and Y. Sui, “Static detection of control-flow-related vulnerabilities using graph embedding,” The International Conference on Engineering of Complex Computer Systems (ICECCS), 2019.
  10. V. Nguyen, T. Le, T. Le, K. Nguyen, O. DeVel, P. Montague, L. Qu, and D. Phung, “Deep domain adaptation for vulnerable code function identification,” The International Joint Conference on Neural Networks (IJCNN), 2019.
  11. Y. Zhuang, Z. Liu, P. Qian, Q. Liu, X. Wang, and Q. He, “Smart contract vulnerability detection using graph neural network,” The International Joint Conference on Artificial Intelligence, IJCAI, pp. 3283–3290, 2020.
  12. V. Nguyen, T. Le, O. De Vel, P. Montague, J. Grundy, and D. Phung, “Dual-component deep domain adaptation: A new approach for cross project software vulnerability detection,” The Pacific-Asia Conference on Knowledge Discovery and Data Mining, 2020.
  13. V. Nguyen, T. Le, O. de Vel, P. Montague, J. Grundy, and D. Phung, “Information-theoretic source code vulnerability highlighting,” in International Joint Conference on Neural Networks (IJCNN), 2021.
  14. V. Nguyen, D. Q. Nguyen, V. Nguyen, T. Le, Q. H. Tran, and D. Q. Phung, “Regvd: Revisiting graph neural networks for vulnerability detection,” The International Conference on Software Engineering: Companion Proceedings (ICSE-Companion), 2022.
  15. M. Fu, V. Nguyen, C. K. Tantithamthavorn, T. Le, and D. Phung, “Vulexplainer: A transformer-based hierarchical distillation for explaining vulnerability types,” The IEEE Transactions on Software Engineering, vol. 49, no. 10, 2023.
  16. M. Fu, C. K. Tantithamthavorn, T. Le, Y. Kume, V. Nguyen, D. Phung, and J. Grundy, “Aibughunter: A practical tool for predicting, classifying and repairing software vulnerabilities,” The Empirical Software Engineering, vol. 49, 2023.
  17. I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” The International Conference on Learning Representations (ICLR), 2015.
  18. D. Amodei, C. Olah, J. Steinhardt, P. F. Christiano, J. Schulman, and D. Mané, “Concrete problems in AI safety,” CoRR, vol. abs/1606.06565, 2016.
  19. X. Zhou, T. Zhang, and D. Lo, “Large language model for vulnerability detection: Emerging results and future directions,” The New Ideas and Emerging Results Track at ICSE, 2024.
  20. A. M. Nguyen, J. Yosinski, and J. Clune, “Deep neural networks are easily fooled: High confidence predictions for unrecognizable images,” CoRR, vol. abs/1412.1897, 2014.
  21. MITRE. Common weakness enumeration (cwe™). https://cwe.mitre.org/.
  22. D. Hendrycks and K. Gimpel, “A baseline for detecting misclassified and out-of-distribution examples in neural networks,” CoRR, vol. abs/1610.02136, 2016.
  23. D. Hendrycks, M. Mazeika, and T. G. Dietterich, “Deep anomaly detection with outlier exposure,” The International Conference on Learning Representations (ICLR), 2019.
  24. K. Lee, H. Lee, K. Lee, and J. Shin, “Training confidence-calibrated classifiers for detecting out-of-distribution samples,” The International Conference on Learning Representations (ICLR), 2018.
  25. K. Lee, K. Lee, H. Lee, and J. Shin, “A simple unified framework for detecting out-of-distribution samples and adversarial attacks,” The Neural Information Processing Systems (NeurIPS), 2018.
  26. V. Sehwag, M. Chiang, and P. Mittal, “Ssd: A unified framework for self-supervised outlier detection,” The International Conference on Learning Representations (ICLR), 2021.
  27. Y. Sun, Y. Ming, X. Zhu, and Y. Li, “Out-of-distribution detection with deep nearest neighbors,” The International Conference on Machine Learning (ICML), 2022.
  28. J. Ren, P. J. Liu, E. Fertig, J. Snoek, R. Poplin, M. A. DePristo, J. V. Dillon, and B. Lakshminarayanan, “Likelihood ratios for out-of-distribution detection,” The Neural Information Processing Systems (NeurIPS), 2019.
  29. J. Winkens, R. Bunel, A. G. Roy, R. Stanforth, V. Natarajan, J. R. Ledsam, P. MacWilliams, P. Kohli, A. Karthikesalingam, S. Kohl, A. T. Cemgil, S. M. A. Eslami, and O. Ronneberger, “Contrastive training for improved out-of-distribution detection,” CoRR, vol. abs/2007.05566, 2020.
  30. P. C. Mahalanobis, “On the generalized distance in statistics,” The National Institute of Science of India, 1936.
  31. Y. Zheng, S. Pujar, B. L. Lewis, L. Buratti, E. A. Epstein, B. Yang, J. Laredo, A. Morari, and Z. Su, “D2a: A dataset built for ai-based vulnerability detection methods using differential analysis,” The International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP), 2021.
  32. T. Le, V. Nguyen, T. Pham, M. Dinh, and T. H. Le, “Fuzzy semi-supervised large margin one-class support vector machine,” The National Foundation for Science and Technology Development (NAFOSTED) Conference on Information and Computer Science, 2014.
  33. V. Nguyen, T. Le, T. Pham, M. Dinh, and T. H. Le, “Kernel-based semi-supervised learning for novelty detection,” International Joint Conference on Neural Networks (IJCNN), 2014.
  34. P. Duong, V. Nguyen, M. Dinh, T. Le, D. Tran, and W. Ma, “Graph-based semi-supervised support vector data description for novelty detection,” International Joint Conference on Neural Networks (IJCNN), 2015.
  35. A. V. D. Oord, N. Kalchbrenner, and K. Kavukcuoglu, “Pixel recurrent neural networks,” CoRR, vol. abs/1601.06759, 2016.
  36. T. Salimans, A. Karpathy, X. Chen, and D. P. Kingma, “Pixelcnn++: Improving the pixelcnn with discretized logistic mixture likelihood and other modifications,” CoRR, vol. abs/1701.05517, 2017.
  37. S. Liang, Y. Li, and R. Srikant, “Enhancing the reliability of out-of-distribution image detection in neural networks,” CoRR, vol. abs/1706.02690, 2017.
  38. C. Guo, G. Pleiss, Y. Sun, and K. Q. Weinberger, “On calibration of modern neural networks,” CoRR, vol. abs/1706.04599, 2017.
  39. B. Lakshminarayanan, A. Pritzel, and C. Blundell, “Simple and scalable predictive uncertainty estimation using deep ensembles,” CoRR, vol. abs/1612.01474, 2016.
  40. E. Nalisnick, A. Matsukawa, Y. W. Teh, D. Gorur, and B. Lakshminarayanan, “Do deep generative models know what they do not know?” CoRR, vol. abs/1810.09136, 2018.
  41. H. Choi, E. Jang, and A. A. Alemi, “Waic, but why? generative ensembles for robust anomaly detection,” CoRR, vol. abs/1810.01392, 2018.
  42. D. P. Kingma and P. Dhariwal, “Glow: Generative flow with invertible 1x1 convolutions,” CoRR, vol. abs/1807.03039, 2018.
  43. D. Hendrycks, M. Mazeika, S. Kadavath, and D. Song, “Using self-supervised learning can improve model robustness and uncertainty,” CoRR, vol. abs/1906.12340, 2019.
  44. D. Hendrycks and K. Gimpel, “A baseline for detecting misclassified and out-of-distribution examples in neural networks,” The International Conference on Learning Representations (ICLR), 2017.
  45. G. Lin, J. Zhang, W. Luo, L. Pan, Y. Xiang, O. D. Vel, and P. Montague, “Cross-project transfer representation learning for vulnerable function discovery,” in IEEE Transactions on Industrial Informatics, 2018.
  46. H. K. Dam, T. Tran, T. Pham, S. W. Ng, J. Grundy, and A. Ghose, “Automatic feature learning for predicting vulnerable software components,” The IEEE Transactions on Software Engineering, 2018.
  47. Z. Li, D. Zou, S. Xu, H. Jin, Y. Zhu, Z. Chen, S. Wang, and J. Wang, “Sysevr: A framework for using deep learning to detect software vulnerabilities,” CoRR, vol. abs/1807.06756, 2018.
  48. V. Nguyen, T. Le, C. Tantithamthavorn, J. Grundy, H. Nguyen, S. Camtepe, P. Quirk, and D. Phung, “An information-theoretic and contrastive learning-based approach for identifying code statements causing software vulnerability,” CoRR, vol. abs/2209.10414, 2022.
  49. V. Nguyen, T. Le, C. Tantithamthavorn, J. Grundy, H. Nguyen, and D. Phung, “Cross project software vulnerability detection via domain adaptation and max-margin principle,” CoRR, vol. abs/2209.10406, 2022.
  50. M. Fu, C. Tantithamthavorn, V. Nguyen, and T. Le, “Chatgpt for vulnerability detection, classification, and repair: How far are we?” The Asia-Pacific Software Engineering Conference (APSEC), 2023.
  51. M. Fu, T. Le, V. Nguyen, C. Tantithamthavorn, and D. Phung, “Learning to quantize vulnerability patterns and match to locate statement-level vulnerabilities,” CoRR, vol. abs/2306.06109, 2023.
  52. M. Fu, V. Nguyen, C. Tantithamthavorn, D. Phung, and T. Le, “Vision transformer-inspired automated vulnerability repair,” The ACM Transactions on Software Engineering and Methodology, 2023.
  53. M. Fu, C. Tantithamthavorn, T. Le, V. Nguyen, and D. Phung, “Vulrepair: A t5-based automated software vulnerability repair,” The ACM Joint European Software Engineering Conference and Symposium on the Foundations of Software Engineering (ESEC/FSE), 2022.
  54. Z. Feng, D. Guo, D. Tang, N. Duan, X. Feng, M. Gong, L. Shou, B. Qin, T. Liu, D. Jiang, and M. Zhou, “Codebert: A pre-trained model for programming and natural languages,” CoRR, vol. abs/2002.08155, 2020.
  55. A. Vaswani, N. Shazeer, N. Parmar, J. Uszkoreit, L. Jones, A. N. Gomez, L. Kaiser, and I. Polosukhin, “Attention is all you need,” The Conference on Neural Information Processing Systems (NIPS), 2017.
  56. E. Jang, S. Gu, and B. Poole, “Categorical reparameterization with gumbel-softmax,” CoRR, vol. abs/1611.01144, 2016.
  57. C. J. Maddison, A. Mnih, and Y. W. Teh, “The concrete distribution: A continuous relaxation of discrete random variables,” CoRR, vol. abs/1611.00712, 2016.
  58. J. Chen, L. Song, M. J. Wainwright, and M. I. Jordan, “Learning to explain: An information-theoretic perspective on model interpretation,” CoRR, vol. abs/1802.07814, 2018.
  59. C. E. Shannon, “The mathematical theory of communication.”   Warren Weaver. The University of Illinois Press, Urbana, 1998.
  60. T. M. Cover and J. A. Thomas, “Elements of information theory.”   John Wiley and Sons, Inc., 2006.
  61. N. Jethani, M. Sudarshan, Y. Aphinyanaphongs, and R. Ranganath, “Have we learned to explain?: How interpretability methods can learn to encode predictions in their interpretations,” The International Conference on Artificial Intelligence and Statistics (AISTATS), 2021.
  62. TensorFlowAPI. (2023) Relaxedbernoulli. [Online]. Available: https://www.tensorflow.org/probability/api_docs/python/tfp/distributions/RelaxedBernoulli
  63. P. Khosla, P. Teterwak, C. Wang, A. Sarna, Y. Tian, P. Isola, A. Maschinot, C. Liu, and D. Krishnan, “Supervised contrastive learning,” CoRR, vol. abs/2004.11362, 2020.
  64. M. Kim, J. Tack, and S. J. Hwang, “Adversarial self-supervised contrastive learning,” The Neural Information Processing Systems (NeurIPS), vol. 33, pp. 2983–2994, 2020.
  65. W. Wang, T. Zhou, F. Yu, J. Dai, E. Konukoglu, and L. Van Gool, “Exploring cross-image pixel contrast for semantic segmentation,” The IEEE/CVF International Conference on Computer Vision (ICCV), pp. 7303–7313, October 2021.
  66. B. Sun, B. Li, S. Cai, Y. Yuan, and C. Zhang, “Fsce: Few-shot object detection via contrastive proposal encoding,” The IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 7352–7362, June 2021.
  67. Y. Du, F. Wei, Z. Zhang, M. Shi, Y. Gao, and G. Li, “Learning to prompt for open-vocabulary object detection with vision-language model,” The IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 14 084–14 093, June 2022.
  68. P. Wang, K. Han, X.-S. Wei, L. Zhang, and L. Wang, “Contrastive learning based hybrid networks for long-tailed image classification,” The IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), pp. 943–952, June 2021.
  69. D. P. Kingma and J. Ba, “Adam: A method for stochastic optimization,” CoRR, vol. abs/1412.6980, 2014.
  70. Y. Chen, Z. Ding, L. Alowain, X. Chen, and D. Wagner, “Diversevul: A new vulnerable source code dataset for deep learning based vulnerability detection,” The International Symposium on Research in Attacks, Intrusions and Defenses (RAID), 2023.
  71. J. Tack, S. Mo, J. Jeong, and J. Shin, “CSI: novelty detection via contrastive learning on distributionally shifted instances,” CoRR, vol. abs/2007.08176, 2020.
  72. S. Hochreiter and J. Schmidhuber, “Long short-term memory,” The Neural computation, vol. 9, 1997.
  73. T. N. Kipf and M. Welling, “Semi-supervised classification with graph convolutional networks,” The International Conference on Learning Representations, 2017.
  74. Y. Li, D. Tarlow, M. Brockschmidt, and R. Zemel, “Gated graph sequence neural networks,” The International Conference on Learning Representations, 2016.
  75. N. Srivastava, G. Hinton, A. Krizhevsky, I. Sutskever, and R. Salakhutdinov, “Dropout: A simple way to prevent neural networks from overfitting,” The Journal of Machine Learning Research, vol. 15, pp. 1929–1958, 2014.
  76. M. Abadi, P. Barham, J. Chen, Z. Chen, A. Davis et al., “Tensorflow: A system for large-scale machine learning,” The USENIX Symposium on Operating Systems Design and Implementation OSDI, pp. 265–283, 2016.
  77. A. Paszke, S. Gross, F. Massa, A. Lerer, J. Bradbury, G. Chanan, T. Killeen, Z. Lin, N. Gimelshein, L. Antiga, A. Desmaison, A. Köpf, E. Z. Yang, Z. DeVito, M. Raison, A. Tejani, S. Chilamkurthy, B. Steiner, L. Fang, J. Bai, and S. Chintala, “Pytorch: An imperative style, high-performance deep learning library,” CoRR, vol. abs/1912.01703, 2019.
  78. L. V. D. Maaten and G. Hinton, “Visualizing data using t-SNE,” The Journal of Machine Learning Research, vol. 9, pp. 2579–2605, 2008.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now