M2CVD: Enhancing Vulnerability Semantic through Multi-Model Collaboration for Code Vulnerability Detection

TL;DR

This paper introduces M2CVD, a collaborative approach combining large language models and code models to improve vulnerability detection accuracy in software code, demonstrating significant performance gains on real datasets.

Contribution

M2CVD is a novel collaborative framework that enhances vulnerability semantics and detection accuracy by integrating LLMs with code models, extending to various model combinations.

Findings

M2CVD significantly outperforms baseline methods on real-world datasets.

The collaborative approach improves vulnerability semantic understanding.

The method generalizes to different LLMs and code models.

Abstract

Large Language Models (LLMs) have strong capabilities in code comprehension, but fine-tuning costs and semantic alignment issues limit their project-specific optimization; conversely, code models such CodeBERT are easy to fine-tune, but it is often difficult to learn vulnerability semantics from complex code languages. To address these challenges, this paper introduces the Multi-Model Collaborative Vulnerability Detection approach (M2CVD) that leverages the strong capability of analyzing vulnerability semantics from LLMs to improve the detection accuracy of code models. M2CVD employs a novel collaborative process: first enhancing the quality of vulnerability semantic description produced by LLMs through the understanding of project code by code models, and then using these improved vulnerability semantic description to boost the detection accuracy of code models. We demonstrated M2CVD's effectiveness on two real-world datasets, where M2CVD significantly outperformed the baseline. In addition, we demonstrate that the M2CVD collaborative method can extend to other different LLMs and code models to improve their accuracy in vulnerability detection tasks.