Generalization-Enhanced Code Vulnerability Detection via Multi-Task Instruction Fine-Tuning

Xiaohu Du,Ming Wen,Jiahao Zhu,Zifan Xie,Bin Ji,Huijun Liu,Xuanhua Shi,Hai Jin
2024-06-06
Abstract:Code Pre-trained Models (CodePTMs) based vulnerability detection have achieved promising results over recent years. However, these models struggle to generalize as they typically learn superficial mapping from source code to labels instead of understanding the root causes of code vulnerabilities, resulting in poor performance in real-world scenarios beyond the training instances. To tackle this challenge, we introduce VulLLM, a novel framework that integrates multi-task learning with Large Language Models (LLMs) to effectively mine deep-seated vulnerability features. Specifically, we construct two auxiliary tasks beyond the vulnerability detection task. First, we utilize the vulnerability patches to construct a vulnerability localization task. Second, based on the vulnerability features extracted from patches, we leverage GPT-4 to construct a vulnerability interpretation task. VulLLM innovatively augments vulnerability classification by leveraging generative LLMs to understand complex vulnerability patterns, thus compelling the model to capture the root causes of vulnerabilities rather than overfitting to spurious features of a single task. The experiments conducted on six large datasets demonstrate that VulLLM surpasses seven state-of-the-art models in terms of effectiveness, generalization, and robustness.
Cryptography and Security,Artificial Intelligence,Computation and Language
What problem does this paper attempt to address?
The paper attempts to address the issue of insufficient generalization ability of existing code pre-training models (CodePTMs) in detecting code vulnerabilities. Specifically, these models usually learn the superficial mapping relationship between source code and labels, rather than understanding the root causes of code vulnerabilities, resulting in poor performance when dealing with real-world scenarios beyond the training instances. To tackle this challenge, the paper proposes a new framework—VulLLM, which effectively mines deep vulnerability features through multi-task learning and large language models (LLMs). ### Main Issues: 1. **Insufficient Generalization Ability**: Existing code pre-training models perform poorly when handling out-of-distribution (OOD) data because they tend to capture superficial features rather than deep vulnerability features. 2. **Overfitting**: These models are prone to overfitting to spurious features of specific tasks, leading to poor generalization across different projects and programming styles. 3. **Adversarial Samples**: Existing methods struggle to distinguish adversarial samples such as simple identifier replacements, indicating that their predictions are influenced by irrelevant factors. ### Solution: - **VulLLM Framework**: Enhances the generalization ability and robustness of vulnerability detection through multi-task learning and large language models (LLMs). - **Auxiliary Tasks**: - **Vulnerability Localization Task**: Constructs a vulnerability localization task using vulnerability patches to identify vulnerable code elements. - **Vulnerability Explanation Task**: Utilizes GPT-4 to generate vulnerability explanations based on features extracted from patches. - **Multi-Task Instruction Fine-Tuning**: Adopts a multi-task learning paradigm to enable LLMs to learn deep vulnerability features rather than spurious features. - **Self-Verification Mechanism**: Introduces enhanced Chain-of-Thought (CoT) and Self-Verification (SV) mechanisms to avoid error accumulation and hallucinations, improving the reliability of LLMs. ### Experimental Results: - Experiments conducted on 6 large datasets show that VulLLM outperforms seven state-of-the-art models in terms of effectiveness, generalization ability, and robustness. - Compared to the best baseline model UniXcoder, VulLLM improves the F1 score by 8% and achieves an 8.58% improvement on four OOD datasets. - Under three types of adversarial attacks, VulLLM's overall F1 score improves by 68.08% compared to UniXcoder, demonstrating its stronger robustness. ### Contributions: - **Innovation**: Proposes using GPT-4's interpretability to generate vulnerability explanations, enhancing LLMs' understanding of vulnerabilities. - **Method**: Introduces the VulLLM framework, which uses LLMs for vulnerability detection through multi-task instruction fine-tuning. - **Evaluation**: Validates the method's effectiveness, generalization ability, and robustness across multiple datasets through extensive experiments, and open-sources the code and data.