Exposing and Defending Membership Leakage in Vulnerability Prediction Models

TL;DR

This paper investigates the privacy risks of membership inference attacks on vulnerability prediction models for code, demonstrating vulnerabilities and proposing a noise-based defense that effectively reduces attack success while maintaining model performance.

Contribution

It provides the first comprehensive analysis of MIA on code vulnerability prediction models and introduces a lightweight noise-based defense mechanism.

Findings

Logits and loss are most vulnerable outputs for MIA.

The proposed NMID reduces attack AUC from nearly 1.0 to below 0.65.

NMID maintains the predictive utility of the models.

Abstract

Neural models for vulnerability prediction (VP) have achieved impressive performance by learning from large-scale code repositories. However, their susceptibility to Membership Inference Attacks (MIAs), where adversaries aim to infer whether a particular code sample was used during training, poses serious privacy concerns. While MIA has been widely investigated in NLP and vision domains, its effects on security-critical code analysis tasks remain underexplored. In this work, we conduct the first comprehensive analysis of MIA on VP models, evaluating the attack success across various architectures (LSTM, BiGRU, and CodeBERT) and feature combinations, including embeddings, logits, loss, and confidence. Our threat model aligns with black-box and gray-box settings where prediction outputs are observable, allowing adversaries to infer membership by analyzing output discrepancies between training and non-training samples. The empirical findings reveal that logits and loss are the most informative and vulnerable outputs for membership leakage. Motivated by these observations, we propose a Noise-based Membership Inference Defense (NMID), which is a lightweight defense module that applies output masking and Gaussian noise injection to disrupt adversarial inference. Extensive experiments demonstrate that NMID significantly reduces MIA effectiveness, lowering the attack AUC from nearly 1.0 to below 0.65, while preserving the predictive utility of VP models. Our study highlights critical privacy risks in code analysis and offers actionable defense strategies for securing AI-powered software systems.