Salvato in:
Dettagli Bibliografici
Autori principali: Li, Yikun, Bui, Ngoc Tan, Zhang, Ting, Yang, Chengran, Zhou, Xin, Weyssow, Martin, Jiang, Jinfeng, Chen, Junkai, Huang, Huihui, Nguyen, Huu Hung, Ho, Chiok Yew, Tan, Jie, Li, Ruiyin, Yin, Yide, Ang, Han Wei, Liauw, Frank, Ouh, Eng Lieh, Shar, Lwin Khin, Lo, David
Natura: Preprint
Pubblicazione: 2025
Soggetti:
Accesso online:https://arxiv.org/abs/2507.21817
Tags: Aggiungi Tag
Nessun Tag, puoi essere il primo ad aggiungerne!!
_version_ 1866915730640863232
author Li, Yikun
Bui, Ngoc Tan
Zhang, Ting
Yang, Chengran
Zhou, Xin
Weyssow, Martin
Jiang, Jinfeng
Chen, Junkai
Huang, Huihui
Nguyen, Huu Hung
Ho, Chiok Yew
Tan, Jie
Li, Ruiyin
Yin, Yide
Ang, Han Wei
Liauw, Frank
Ouh, Eng Lieh
Shar, Lwin Khin
Lo, David
author_facet Li, Yikun
Bui, Ngoc Tan
Zhang, Ting
Yang, Chengran
Zhou, Xin
Weyssow, Martin
Jiang, Jinfeng
Chen, Junkai
Huang, Huihui
Nguyen, Huu Hung
Ho, Chiok Yew
Tan, Jie
Li, Ruiyin
Yin, Yide
Ang, Han Wei
Liauw, Frank
Ouh, Eng Lieh
Shar, Lwin Khin
Lo, David
contents Automated vulnerability detection research has made substantial progress, yet its real-world impact remains limited. Prior work found that current vulnerability datasets suffer from issues including label inaccuracy rates of 20%-71%, extensive duplication, and poor coverage of critical Common Weakness Enumeration (CWE). These issues create a significant generalization gap where models achieve misleading In-Distribution (ID) accuracies (testing on splits from the same dataset) by exploiting spurious correlations rather than learning true vulnerability patterns. To address these limitations, we present a three-part solution. First, we introduce BenchVul, which is a manually curated and balanced test dataset covering the MITRE Top 25 Most Dangerous CWEs, to enable fair model evaluation. Second, we construct a high-quality training dataset, TitanVul, comprising 38,548 functions by aggregating seven public sources and applying deduplication and validation using a novel multi-agent LLM pipeline. Third, we propose a Realistic Vulnerability Generation (RVG) pipeline, which synthesizes context-aware vulnerability examples for underrepresented but critical CWE types through simulated development workflows. Our evaluation reveals that In-Distribution (ID) performance does not reliably predict Out-of-Distribution (OOD) performance on BenchVul. For example, a model trained on BigVul achieves the highest 0.703 ID accuracy but fails on BenchVul's real-world samples (0.493 OOD accuracy). Conversely, a model trained on our TitanVul achieves the highest OOD performance on both the real-world (0.881) and synthesized (0.785) portions of BenchVul, improving upon the next-best performing dataset by 5.3% and 11.8% respectively, despite a modest ID score (0.590). Augmenting TitanVul with our RVG further boosts this leading OOD performance, improving accuracy on real-world data by 5.8% (to 0.932).
format Preprint
id arxiv_https___arxiv_org_abs_2507_21817
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Out of Distribution, Out of Luck: How Well Can LLMs Trained on Vulnerability Datasets Detect Top 25 CWE Weaknesses?
Li, Yikun
Bui, Ngoc Tan
Zhang, Ting
Yang, Chengran
Zhou, Xin
Weyssow, Martin
Jiang, Jinfeng
Chen, Junkai
Huang, Huihui
Nguyen, Huu Hung
Ho, Chiok Yew
Tan, Jie
Li, Ruiyin
Yin, Yide
Ang, Han Wei
Liauw, Frank
Ouh, Eng Lieh
Shar, Lwin Khin
Lo, David
Cryptography and Security
Software Engineering
Automated vulnerability detection research has made substantial progress, yet its real-world impact remains limited. Prior work found that current vulnerability datasets suffer from issues including label inaccuracy rates of 20%-71%, extensive duplication, and poor coverage of critical Common Weakness Enumeration (CWE). These issues create a significant generalization gap where models achieve misleading In-Distribution (ID) accuracies (testing on splits from the same dataset) by exploiting spurious correlations rather than learning true vulnerability patterns. To address these limitations, we present a three-part solution. First, we introduce BenchVul, which is a manually curated and balanced test dataset covering the MITRE Top 25 Most Dangerous CWEs, to enable fair model evaluation. Second, we construct a high-quality training dataset, TitanVul, comprising 38,548 functions by aggregating seven public sources and applying deduplication and validation using a novel multi-agent LLM pipeline. Third, we propose a Realistic Vulnerability Generation (RVG) pipeline, which synthesizes context-aware vulnerability examples for underrepresented but critical CWE types through simulated development workflows. Our evaluation reveals that In-Distribution (ID) performance does not reliably predict Out-of-Distribution (OOD) performance on BenchVul. For example, a model trained on BigVul achieves the highest 0.703 ID accuracy but fails on BenchVul's real-world samples (0.493 OOD accuracy). Conversely, a model trained on our TitanVul achieves the highest OOD performance on both the real-world (0.881) and synthesized (0.785) portions of BenchVul, improving upon the next-best performing dataset by 5.3% and 11.8% respectively, despite a modest ID score (0.590). Augmenting TitanVul with our RVG further boosts this leading OOD performance, improving accuracy on real-world data by 5.8% (to 0.932).
title Out of Distribution, Out of Luck: How Well Can LLMs Trained on Vulnerability Datasets Detect Top 25 CWE Weaknesses?
topic Cryptography and Security
Software Engineering
url https://arxiv.org/abs/2507.21817