SIFT: enhance the performance of vulnerability detection by incorporating structural knowledge and multi-task learning

被引:0
作者
Wang, Liping [1 ]
Lu, Guilong [2 ]
Chen, Xiang [2 ]
Dai, Xiaofeng [1 ]
Qiu, Jianlin [2 ]
机构
[1] Nantong Inst Technol, Sch Yonyou Digitaland Intelligence, Nantong 226002, Jiangsu, Peoples R China
[2] Nantong Univ, Sch Artificial Intelligence & Comp Sci, Nantong 226019, Jiangsu, Peoples R China
基金
中国国家自然科学基金;
关键词
Vulnerability detection; Fine-tuning; Pre-trained language model; Structural Knowledge injection; Multi-task learning;
D O I
10.1007/s10515-025-00507-7
中图分类号
TP31 [计算机软件];
学科分类号
081202 ; 0835 ;
摘要
Software vulnerabilities pose significant risks to software systems, leading to security breaches, data loss, operational disruptions, and substantial financial damage. Therefore, accurately detecting these vulnerabilities is of paramount importance. In recent years, pre-trained language models (PLMs) have demonstrated powerful capabilities in code representation and understanding, emerging as a promising method for vulnerability detection. However, integrating code structure knowledge while fine-tuning PLMs remains a significant challenge. To alleviate this limitation, we propose a novel vulnerability detection approach called SIFT. SIFT extracts the code property graph (CPG) to serve as the source of graph structural information. It constructs a code structure matrix from this information and measures the difference between the code structure matrix and the attention matrix using Sinkhorn Divergence to obtain the structural knowledge loss. This structural knowledge loss is then used alongside the cross-entropy loss for vulnerability detection in a multi-task learning framework to enhance overall detection performance. To evaluate the effectiveness of SIFT, we conducted experiments on three vulnerability detection datasets: FFmpeg+Qemu, Chrome+Debian, and Big-Vul. The results demonstrate that SIFT outperforms nine state-of-the-art vulnerability detection baselines, achieving performance improvements of 1.74%, 10.19%, and 2.87% in terms of F1 score, respectively. Our study shows the effectiveness of incorporating structural knowledge and multi-task learning in enhancing the performance of PLMs for vulnerability detection.
引用
收藏
页数:31
相关论文
共 73 条
  • [1] Ahmad WU, 2021, 2021 CONFERENCE OF THE NORTH AMERICAN CHAPTER OF THE ASSOCIATION FOR COMPUTATIONAL LINGUISTICS: HUMAN LANGUAGE TECHNOLOGIES (NAACL-HLT 2021), P2655
  • [2] Alon U., 2018, ARXIV180801400
  • [3] code2vec: Learning Distributed Representations of Code
    Alon, Uri
    Zilberstein, Meital
    Levy, Omer
    Yahav, Eran
    [J]. PROCEEDINGS OF THE ACM ON PROGRAMMING LANGUAGES-PACMPL, 2019, 3 (POPL):
  • [4] A Comprehensive Review of Cyber Security Vulnerabilities, Threats, Attacks, and Solutions
    Aslan, Omer
    Aktug, Semih Serkant
    Ozkan-Okay, Merve
    Yilmaz, Abdullah Asim
    Akin, Erdal
    [J]. ELECTRONICS, 2023, 12 (06)
  • [5] Ayupov S., 2022, arXiv, DOI 10.48550/arXiv.2212.05901
  • [6] Behl D, 2014, PROCEEDINGS OF THE 2014 INTERNATIONAL CONFERENCE ON RELIABILTY, OPTIMIZATION, & INFORMATION TECHNOLOGY (ICROIT 2014), P294, DOI 10.1109/ICROIT.2014.6798341
  • [7] CSVD-TF: Cross-project software vulnerability detection with TrAdaBoost by fusing expert metrics and semantic metrics
    Cai, Zhilong
    Cai, Yongwei
    Chen, Xiang
    Lu, Guilong
    Pei, Wenlong
    Zhao, Junjie
    [J]. JOURNAL OF SYSTEMS AND SOFTWARE, 2024, 213
  • [8] Cao Shaoheng, 2024, P IEEE ACM 46 INT C, P1096
  • [9] Deep Learning Based Vulnerability Detection: Are We There Yet?
    Chakraborty, Saikat
    Krishna, Rahul
    Ding, Yangruibo
    Ray, Baishakhi
    [J]. IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 2022, 48 (09) : 3280 - 3296
  • [10] Efficient vulnerability detection based on an optimized rule-checking static analysis technique
    Chen, Deng
    Zhang, Yan-duo
    Wei, Wei
    Wang, Shi-xun
    Huang, Ru-bing
    Li, Xiao-lin
    Qu, Bin-bin
    Jiang, Sheng
    [J]. FRONTIERS OF INFORMATION TECHNOLOGY & ELECTRONIC ENGINEERING, 2017, 18 (03) : 332 - 345