JFinder: A Novel Architecture for Java Vulnerability Identification Based Quad Self-Attention and Pre-training Mechanism

TL;DR

JFinder is a new architecture that uses quad self-attention and pre-training to improve Java vulnerability detection, achieving high accuracy and F1 scores, and effectively identifying patched vulnerabilities.

Contribution

It introduces a novel architecture combining quad self-attention with pre-training for enhanced Java vulnerability identification, outperforming existing methods.

Findings

Achieves 0.97 accuracy on CWE dataset

F1 score of 0.84 on PROMISE dataset

Successfully identifies patched vulnerabilities in case studies

Abstract

Software vulnerabilities pose significant risks to computer systems, impacting our daily lives, productivity, and even our health. Identifying and addressing security vulnerabilities in a timely manner is crucial to prevent hacking and data breaches. Unfortunately, current vulnerability identification methods, including classical and deep learning-based approaches, exhibit critical drawbacks that prevent them from meeting the demands of the contemporary software industry. To tackle these issues, we present JFinder, a novel architecture for Java vulnerability identification that leverages quad self-attention and pre-training mechanisms to combine structural information and semantic representations. Experimental results demonstrate that JFinder outperforms all baseline methods, achieving an accuracy of 0.97 on the CWE dataset and an F1 score of 0.84 on the PROMISE dataset. Furthermore, a case study reveals that JFinder can accurately identify four cases of vulnerabilities after patching.