Transfer learning for software vulnerability prediction using Transformer models

IF 4.1 2区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING Journal of Systems and Software Pub Date : 2025-04-12 DOI:10.1016/j.jss.2025.112448

Ilias Kalouptsoglou , Miltiadis Siavvas , Apostolos Ampatzoglou , Dionysios Kehagias , Alexander Chatzigeorgiou

{"title":"Transfer learning for software vulnerability prediction using Transformer models","authors":"Ilias Kalouptsoglou , Miltiadis Siavvas , Apostolos Ampatzoglou , Dionysios Kehagias , Alexander Chatzigeorgiou","doi":"10.1016/j.jss.2025.112448","DOIUrl":null,"url":null,"abstract":"<div><div>Recently software security community has exploited text mining and deep learning methods to identify vulnerabilities. To this end, the progress in the field of Natural Language Processing (NLP) has opened a new direction in constructing Vulnerability Prediction (VP) models by employing Transformer-based pre-trained models. This study investigates the capacity of Generative Pre-trained Transformer (GPT), and Bidirectional Encoder Representations from Transformers (BERT) to enhance the VP process by capturing semantic and syntactic information in the source code. Specifically, we examine different ways of using CodeGPT and CodeBERT to build VP models to maximize the benefit of their use for the downstream task of VP. To enhance the performance of the models we explore fine-tuning, word embedding, and sentence embedding extraction methods. We also compare VP models based on Transformers trained on code from scratch or after natural language pre-training. Furthermore, we compare these architectures to state-of-the-art text mining and graph-based approaches. The results showcase that training a separate deep learning predictor with pre-trained word embeddings is a more efficient approach in VP than either fine-tuning or extracting sentence-level features. The findings also highlight the importance of context-aware embeddings in the models’ attempt to identify vulnerable patterns in the source code.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"227 ","pages":"Article 112448"},"PeriodicalIF":4.1000,"publicationDate":"2025-04-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems and Software","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0164121225001165","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

Recently software security community has exploited text mining and deep learning methods to identify vulnerabilities. To this end, the progress in the field of Natural Language Processing (NLP) has opened a new direction in constructing Vulnerability Prediction (VP) models by employing Transformer-based pre-trained models. This study investigates the capacity of Generative Pre-trained Transformer (GPT), and Bidirectional Encoder Representations from Transformers (BERT) to enhance the VP process by capturing semantic and syntactic information in the source code. Specifically, we examine different ways of using CodeGPT and CodeBERT to build VP models to maximize the benefit of their use for the downstream task of VP. To enhance the performance of the models we explore fine-tuning, word embedding, and sentence embedding extraction methods. We also compare VP models based on Transformers trained on code from scratch or after natural language pre-training. Furthermore, we compare these architectures to state-of-the-art text mining and graph-based approaches. The results showcase that training a separate deep learning predictor with pre-trained word embeddings is a more efficient approach in VP than either fine-tuning or extracting sentence-level features. The findings also highlight the importance of context-aware embeddings in the models’ attempt to identify vulnerable patterns in the source code.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

利用 Transformer 模型进行软件漏洞预测的迁移学习

最近，软件安全社区利用文本挖掘和深度学习方法来识别漏洞。为此，自然语言处理（NLP）领域的进展为利用基于transformer的预训练模型构建漏洞预测（VP）模型开辟了新的方向。本研究探讨了生成式预训练转换器（GPT）和转换器的双向编码器表示（BERT）通过捕获源代码中的语义和句法信息来增强VP过程的能力。具体地说，我们研究了使用CodeGPT和CodeBERT来构建VP模型的不同方法，以最大限度地利用它们来完成VP的下游任务。为了提高模型的性能，我们探索了微调、词嵌入和句子嵌入提取方法。我们还比较了基于从头开始或经过自然语言预训练的变形金刚的VP模型。此外，我们将这些架构与最先进的文本挖掘和基于图的方法进行比较。结果表明，与微调或提取句子级特征相比，使用预训练的词嵌入训练单独的深度学习预测器是一种更有效的VP方法。研究结果还强调了上下文感知嵌入在模型试图识别源代码中的脆弱模式中的重要性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Journal of Systems and Software 工程技术-计算机：理论方法

CiteScore

8.60

自引率

5.70%

发文量

193

审稿时长

16 weeks

期刊介绍： The Journal of Systems and Software publishes papers covering all aspects of software engineering and related hardware-software-systems issues. All articles should include a validation of the idea presented, e.g. through case studies, experiments, or systematic comparisons with other approaches already in practice. Topics of interest include, but are not limited to: •Methods and tools for, and empirical studies on, software requirements, design, architecture, verification and validation, maintenance and evolution •Agile, model-driven, service-oriented, open source and global software development •Approaches for mobile, multiprocessing, real-time, distributed, cloud-based, dependable and virtualized systems •Human factors and management concerns of software development •Data management and big data issues of software systems •Metrics and evaluation, data mining of software development resources •Business and economic aspects of software development processes The journal welcomes state-of-the-art surveys and reports of practical experience for all of these topics.