An Empirical Study of Deep Learning Models for Vulnerability Detection (ICSE 2023 - Technical Track)

Write a Blog >>

Sun 14 - Sat 20 May 2023 Melbourne, Australia

Who

Benjamin Steenhoek, Md Mahbubur Rahman, Richard Jiles, Wei Le

Track

ICSE 2023 Technical Track

Time Zone

The program is currently displayed in (GMT+10:00) Hobart.

Use conference time zone: (GMT+10:00) HobartSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Wed 17 May 2023 15:23 - 15:25 at Meeting Room 105 - Posters 1
Fri 19 May 2023 13:45 - 14:00 at Meeting Room 106 - Vulnerability detection Chair(s): Cuiyun Gao

Abstract

Deep learning (DL) models of code have recently reported great progress for vulnerability detection. In some cases, DL-based models have outperformed static analysis tools. Although many great models have been proposed, we do not yet have a good understanding of these models. This limits the further advancement of model robustness, debugging, and deployment for the vulnerability detection. In this paper, we surveyed and reproduced 9 state-of-the-art (SOTA) deep learning models on 2 widely used vulnerability detection datasets: Devign and MSR. We investigated 6 research questions in three areas, namely model capabilities, training data, and model interpretation. We experimentally demonstrated the variability between different runs of a model and the low agreement among different models’ outputs. We investigated models trained for specific types of vulnerabilities compared to a model that is trained on all the vulnerabilities at once. We explored the types of programs DL may consider “hard” to handle. We investigated the relations of training data sizes and training data composition with model performance. Finally, we studied model interpretations and analyzed important features that the models used to make predictions. We believe that our findings can help better understand model results, provide guidance on preparing training data, and improve the robustness of the models. All of our datasets, code, and results are available at https://figshare.com/s/284abfba67dba448fdc2.

Link to Preprint

https://doi.org/10.48550/arXiv.2212.08109

Benjamin Steenhoek

Iowa State University

United States

Md Mahbubur Rahman

Iowa State University

Richard Jiles

Iowa State University

Wei Le

Iowa State University

United States

Time Zone

The program is currently displayed in (GMT+10:00) Hobart.

Use conference time zone: (GMT+10:00) HobartSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Wed 17 May
Displayed time zone: Hobart change

15:15 - 15:45	Posters 1Posters / Technical Track / Showcase at Meeting Room 105

15:15 2m Poster		Distribution-aware Fairness Test Generation Posters Sai Sathiesh Rajan Singapore University of Technology and Design, Singapore, Ezekiel Soremekun Royal Holloway, University of London, Sudipta Chattopadhyay Singapore University of Technology and Design, Yves Le Traon University of Luxembourg, Luxembourg
15:17 2m Talk		Improving API Knowledge Discovery with ML: A Case Study of Comparable API Methods Technical Track Daye Nam Carnegie Mellon University, Brad A. Myers Carnegie Mellon University, Bogdan Vasilescu Carnegie Mellon University, Vincent J. Hellendoorn Carnegie Mellon University Pre-print
15:19 2m Talk		Diver: Oracle-Guided SMT Solver Testing with Unrestricted Random Mutations Technical Track Jongwook Kim Korea University, Sunbeom So Korea University, Hakjoo Oh Korea University
15:21 2m Talk		Demystifying Exploitable Bugs in Smart Contracts Technical Track Zhuo Zhang Purdue University, Brian Zhang Harrison High School (Tippecanoe), Wen Xu PNM Labs, Zhiqiang Lin The Ohio State University Pre-print
15:23 2m Talk		An Empirical Study of Deep Learning Models for Vulnerability Detection Technical Track Benjamin Steenhoek Iowa State University, Md Mahbubur Rahman Iowa State University, Richard Jiles Iowa State University, Wei Le Iowa State University Pre-print
15:25 2m Talk		MorphQ: Metamorphic Testing of the Qiskit Quantum Computing Platform Technical Track Matteo Paltenghi University of Stuttgart, Germany, Michael Pradel University of Stuttgart Pre-print
15:27 2m Talk		Large Language Models are Few-shot Testers: Exploring LLM-based General Bug Reproduction Technical Track Sungmin Kang KAIST, Juyeon Yoon Korea Advanced Institute of Science and Technology, Shin Yoo KAIST Pre-print
15:30 2m Talk		Automating Code-Related Tasks Through Transformers: The Impact of Pre-training Technical Track Rosalia Tufano Università della Svizzera Italiana, Luca Pascarella ETH Zurich, Gabriele Bavota Software Institute, USI Università della Svizzera italiana
15:32 2m Talk		Generic Partition Refinement and Weighted Tree Automata Showcase Hans-Peter Deifel Friedrich-Alexander University Erlangen-Nürnberg, Germany, Stefan Milius , Lutz Schröder University of Erlangen-Nuremberg, Thorsten Wißmann Friedrich-Alexander University Erlangen-Nürnberg Link to publication DOI Pre-print
15:34 2m Talk		Learning Seed-Adaptive Mutation Strategies for Greybox Fuzzing Technical Track Myungho Lee Korea University, Sooyoung Cha Sungkyunkwan University, Hakjoo Oh Korea University
15:36 2m Talk		Bug localization in game software engineering: evolving simulations to locate bugs in software models of video games Showcase Rodrigo Casamayor SVIT Research Group. Universidad San Jorge, Lorena Arcega San Jorge University, Francisca Pérez SVIT Research Group, Universidad San Jorge, Carlos Cetina San Jorge University, Spain DOI
15:38 2m Poster		Don't Complete It! Preventing Unhelpful Code Completion for Productive and Sustainable Neural Code Completion Systems Posters Zhensu Sun The Hong Kong Polytechnic University, Xiaoning Du Monash University, Australia, Fu Song ShanghaiTech University, Shangwen Wang National University of Defense Technology, Li Li Beihang University
15:40 2m Talk		A Qualitative Study on the Implementation Design Decisions of Developers Technical Track Jenny T. Liang Carnegie Mellon University, Maryam Arab George Mason University, Minhyuk Ko Virginia Tech, Amy Ko University of Washington, Thomas LaToza George Mason University Pre-print
15:42 2m Poster		Closing the Loop for Software Remodularisation - REARRANGE: An Effort Estimation Approach for Software Clustering-based Remodularisation Posters Alvin Jian Jin Tan , Chun Yong Chong Monash University Malaysia, Aldeida Aleti Monash University

Fri 19 May
Displayed time zone: Hobart change

13:45 - 15:15	Vulnerability detectionTechnical Track / Journal-First Papers at Meeting Room 106 Chair(s): Cuiyun Gao Harbin Institute of Technology

13:45 15m Talk		An Empirical Study of Deep Learning Models for Vulnerability Detection Technical Track Benjamin Steenhoek Iowa State University, Md Mahbubur Rahman Iowa State University, Richard Jiles Iowa State University, Wei Le Iowa State University Pre-print
14:00 15m Talk		DeepVD: Toward Class-Separation Features for Neural Network Vulnerability Detection Technical Track Wenbo Wang New Jersey Institute of Technology, Tien N. Nguyen University of Texas at Dallas, Shaohua Wang New Jersey Institute of Technology, Yi Li New Jersey Institute of Technology, Jiyuan Zhang University of Illinois Urbana-Champaign, Aashish Yadavally The University of Texas at Dallas Pre-print
14:15 15m Talk		Enhancing Deep Learning-based Vulnerability Detection by Building Behavior Graph Model Technical Track Bin Yuan Huazhong University of Science and Technology, Yifan Lu Huazhong University of Science and Technology, Yilin Fang Huazhong University of Science and Technology, Yueming Wu Nanyang Technological University, Deqing Zou Huazhong University of Science and Technology, Zhen Li Huazhong University of Science and Technology, Zhi Li Huazhong University of Science and Technology, Hai Jin Huazhong University of Science and Technology
14:30 15m Talk		Vulnerability Detection with Graph Simplification and Enhanced Graph Representation Learning Technical Track Xin-Cheng Wen Harbin Institute of Technology, Yupan Harbin Institute of Technology, Cuiyun Gao Harbin Institute of Technology, Hongyu Zhang The University of Newcastle, Jie M. Zhang King's College London, Qing Liao Harbin Institute of Technology
14:45 15m Talk		Does data sampling improve deep learning-based vulnerability detection? Yeas! and Nays! Technical Track Xu Yang University of Manitoba, Shaowei Wang University of Manitoba, Yi Li New Jersey Institute of Technology, Shaohua Wang New Jersey Institute of Technology Pre-print
15:00 7m Talk		Learning from What We Know: How to Perform Vulnerability Prediction using Noisy Historical Data Journal-First Papers Aayush Garg University of Luxembourg, Luxembourg, Renzo Degiovanni SnT, University of Luxembourg, Matthieu Jimenez SnT, University of Luxembourg, Maxime Cordy University of Luxembourg, Luxembourg, Mike Papadakis University of Luxembourg, Luxembourg, Yves Le Traon University of Luxembourg, Luxembourg Link to publication DOI Authorizer link Pre-print Media Attached
15:07 7m Talk		Do I really need all this work to find vulnerabilities? An empirical case study comparing vulnerability detection techniques on a Java application Journal-First Papers Sarah Elder North Carolina State University, Nusrat Zahan North Carolina State University, Rui Shu North Carolina State University, Valeri Kozarev North Carolina State University, Tim Menzies North Carolina State University, Laurie Williams North Carolina State University