Prior studies generally focus on software vulnerability detection and have demonstrated the effectiveness of Graph Neural Network (GNN)-based approaches for the task. Considering the various types of software vulnerabilities and the associated different degrees of severity, it is also beneficial to determine the type of each vulnerable code for developers. In this paper, we observe that the distribution of vulnerability type is long-tailed in practice, where a small portion of classes have massive samples (i.e., head classes) but the others contain only a few samples (i.e., tail classes). Directly adopting previous vulnerability detection approaches tends to result in poor detection performance, mainly due to two reasons. First, it is difficult to effectively learn the vulnerability representation due to the over-smoothing issue of GNNs. Second, vulnerability types in tails are hard to be predicted due to the extremely few associated samples. To alleviate these issues, we propose a L ong-ta I led software V ulner AB i L ity typ E classification approach, called LIVABLE . LIVABLE mainly consists of two modules, including (1) vulnerability representation learning module, which improves the propagation steps in GNN to distinguish node representations by a differentiated propagation method. A sequence-to-sequence model is also involved to enhance the vulnerability representations. (2) adaptive re-weighting module, which adjusts the learning weights for different types according to the training epochs and numbers of associated samples by a novel training loss. We verify the effectiveness of LIVABLE in both type classification and vulnerability detection tasks. For vulnerability type classification, the experiments on the Fan et al. dataset show that LIVABLE outperforms the state-of-the-art methods by 24.18% in terms of the accuracy metric, and also improves the performance in predicting tail classes by 7.7%. To evaluate the efficacy of the vulnerability representation learning module in LIVABLE, we further compare it with the recent vulnerability detection approaches on three benchmark datasets, which shows that the proposed representation learning module improves the best baselines by 4.03% on average in terms of accuracy.

中文翻译：

---

LIVABLE：探索软件漏洞类型的长尾分类


先前的研究通常侧重于软件漏洞检测，并证明了基于图神经网络（GNN）的任务方法的有效性。考虑到软件漏洞的不同类型以及相关的不同严重程度，确定每个漏洞代码的类型对于开发人员来说也是有益的。在本文中，我们观察到漏洞类型的分布在实践中是长尾的，其中一小部分类拥有大量样本（即头类），而其他类仅包含少量样本（即尾类）。直接采用以前的漏洞检测方法往往会导致检测性能较差，主要有两个原因。首先，由于 GNN 的过度平滑问题，很难有效地学习漏洞表示。其次，由于相关样本极少，尾部的漏洞类型很难预测。为了缓解这些问题，我们提出了一种长期主导的软件漏洞AB i L ity type E分类方法，称为LIVABLE。 LIVABLE主要由两个模块组成，包括（1）漏洞表示学习模块，该模块改进了GNN中的传播步骤，通过差异化传播方法来区分节点表示。还涉及序列到序列模型来增强漏洞表示。 （2）自适应重新加权模块，通过新颖的训练损失根据训练历次和关联样本数量调整不同类型的学习权重。我们验证了 LIVABLE 在类型分类和漏洞检测任务中的有效性。对于漏洞类型分类，Fan 等人的实验。 数据集显示，LIVABLE 在准确度指标方面优于最先进的方法 24.18%，并且在预测尾部类别方面的性能也提高了 7.7%。为了评估 LIVABLE 中漏洞表示学习模块的功效，我们进一步将其与三个基准数据集上的最新漏洞检测方法进行比较，结果表明，所提出的表示学习模块在准确性方面平均将最佳基线提高了 4.03%。