pith. sign in

arxiv: 2304.00409 · v2 · pith:T6RWHNYEnew · submitted 2023-04-01 · 💻 cs.CR · cs.AI· cs.LG· cs.SE

DiverseVul: A New Vulnerable Source Code Dataset for Deep Learning Based Vulnerability Detection

classification 💻 cs.CR cs.AIcs.LGcs.SE
keywords datasetdeepdetectionvulnerabilitylearningresearchsourcecode
0
0 comments X
read the original abstract

We propose and release a new vulnerable source code dataset. We curate the dataset by crawling security issue websites, extracting vulnerability-fixing commits and source codes from the corresponding projects. Our new dataset contains 18,945 vulnerable functions spanning 150 CWEs and 330,492 non-vulnerable functions extracted from 7,514 commits. Our dataset covers 295 more projects than all previous datasets combined. Combining our new dataset with previous datasets, we present an analysis of the challenges and promising research directions of using deep learning for detecting software vulnerabilities. We study 11 model architectures belonging to 4 families. Our results show that deep learning is still not ready for vulnerability detection, due to high false positive rate, low F1 score, and difficulty of detecting hard CWEs. In particular, we demonstrate an important generalization challenge for the deployment of deep learning-based models. We show that increasing the volume of training data may not further improve the performance of deep learning models for vulnerability detection, but might be useful to improve the generalization ability to unseen projects. We also identify hopeful future research directions. We demonstrate that large language models (LLMs) are a promising research direction for ML-based vulnerability detection, outperforming Graph Neural Networks (GNNs) with code-structure features in our experiments. Moreover, developing source code specific pre-training objectives is a promising research direction to improve the vulnerability detection performance.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 2 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. The EVerest Dataset for Secure Software Engineering

    cs.SE 2026-06 accept novelty 8.0

    EVerest is a new publicly available dataset with security requirements, fine-grained elements, architecture model, source code, and documentation from an EV charging system to enable security verification research.

  2. Benchmarking Mythos-Linked Bug Rediscovery

    cs.SE 2026-05 unverdicted novelty 4.0

    A benchmarking experiment finds low rediscovery rates for three models on six Mythos-linked bug tasks, with only six target matches across 54 attempts under controlled prompting.