Revisiting the Performance of Deep Learning-Based Vulnerability Detection on Realistic Datasets

TL;DR

This paper evaluates deep learning vulnerability detection models on a new realistic dataset, revealing significant performance gaps and proposing augmentation techniques to improve real-world effectiveness.

Contribution

It introduces the Real-Vul dataset for realistic evaluation and provides empirical analysis showing deep learning models underperform in practical scenarios.

Findings

Performance drops significantly on real-world data

Model accuracy varies with vulnerability type

Augmentation can improve detection performance by up to 30%

Abstract

The impact of software vulnerabilities on everyday software systems is significant. Despite deep learning models being proposed for vulnerability detection, their reliability is questionable. Prior evaluations show high recall/F1 scores of up to 99%, but these models underperform in practical scenarios, particularly when assessed on entire codebases rather than just the fixing commit. This paper introduces Real-Vul, a comprehensive dataset representing real-world scenarios for evaluating vulnerability detection models. Evaluating DeepWukong, LineVul, ReVeal, and IVDetect shows a significant drop in performance, with precision decreasing by up to 95 percentage points and F1 scores by up to 91 points. Furthermore, Model performance fluctuates based on vulnerability characteristics, with better F1 scores for information leaks or code injection than for path resolution or predictable return values. The results highlight a significant performance gap that needs addressing before deploying deep learning-based vulnerability detection in practical settings. Overfitting is identified as a key issue, and an augmentation technique is proposed, potentially improving performance by up to 30%. Contributions include a dataset creation approach for better model evaluation, Real-Vul dataset, and empirical evidence of deep learning models struggling in real-world settings.