Data Quality Issues in Vulnerability Detection Datasets

TL;DR

This paper identifies key data quality issues in vulnerability detection datasets that hinder deep learning model performance and offers insights and practices to improve dataset quality for better cybersecurity outcomes.

Contribution

The paper defines critical and secondary data issues in vulnerability datasets and analyzes existing literature to highlight their impact on model accuracy.

Findings

Data imbalance and low vulnerability coverage affect detection accuracy.

Errors and mislabeling in datasets can be mitigated through preprocessing.

Analysis of 54 datasets confirms the prevalence of identified issues.

Abstract

Vulnerability detection is a crucial yet challenging task to identify potential weaknesses in software for cyber security. Recently, deep learning (DL) has made great progress in automating the detection process. Due to the complex multi-layer structure and a large number of parameters, a DL model requires massive labeled (vulnerable or secure) source code to gain knowledge to effectively distinguish between vulnerable and secure code. In the literature, many datasets have been created to train DL models for this purpose. However, these datasets suffer from several issues that will lead to low detection accuracy of DL models. In this paper, we define three critical issues (i.e., data imbalance, low vulnerability coverage, biased vulnerability distribution) that can significantly affect the model performance and three secondary issues (i.e., errors in source code, mislabeling, noisy historical data) that also affect the performance but can be addressed through a dedicated pre-processing procedure. In addition, we conduct a study of 14 papers along with 54 datasets for vulnerability detection to confirm these defined issues. Furthermore, we discuss good practices to use existing datasets and to create new ones.