Show simple item record

dc.contributor.authorArumugam, Krishna Kanth
dc.date.accessioned2023-05-23 20:00:28 (GMT)
dc.date.available2023-05-23 20:00:28 (GMT)
dc.date.issued2023-05-23
dc.date.submitted2023-05-16
dc.identifier.urihttp://hdl.handle.net/10012/19471
dc.description.abstractThe impact of software vulnerabilities on daily-used software systems is alarming. Despite numerous proposed deep learning-based models to automate vulnerability detection, the detection of software vulnerabilities remains a significant issue. While some techniques report high precision/recall scores of up to 99%, our experience leads us to believe that these models may underperform in realistic settings, specifically when evaluating vulnerability detection models on the entire source code repository of a project. Therefore, in this thesis, we create a more comprehensive vulnerability detection dataset (i.e., Comp-Vul), which aims to accurately represent the realistic settings where vulnerability detection models are deployed. Then, we evaluate the performance of two state-of-the-art deep learning-based models, LineVul and DeepWukong, on the Comp-Vul dataset. Our results show that the performance of both models drops drastically, with precision dropping by 86% - 95% and F1 score dropping by 88% - 91%. Our further investigation shows that the ratio of vulnerable to non-vulnerable samples in the evaluation dataset significantly impacts the performance metrics of these models. When we visualize the embeddings produced by the models, we find that there is a substantial overlap between vulnerable and non-vulnerable samples. This shows that these models have difficulty distinguishing between vulnerable and non-vulnerable samples in the Comp-Vul dataset, resulting in a high number of false positives. We introduce a new program slice-level vulnerability detection technique named SliceVul, which leverages the powerful capabilities of Transformers and incorporates the semantic properties of source code programs such as data and control flow information. Our approach outperforms the existing state-of-the-art program slice-level vulnerability detection model, DeepWukong when evaluated on the Comp-Vul dataset. Our study argues that accurately identifying vulnerabilities using deep learning remains a challenging task that requires improved approaches to model evaluation and design. Further research and development, complemented by realistic evaluation datasets, is required to enhance the performance of these methods.en
dc.language.isoenen
dc.publisherUniversity of Waterlooen
dc.subjectvulnerability detectionen
dc.subjectvulnerability datasetsen
dc.subjectdeep learningen
dc.titleEvaluating Deep Learning-based Vulnerability Detection Models on Realistic Datasetsen
dc.typeMaster Thesisen
dc.pendingfalse
uws-etd.degree.departmentDavid R. Cheriton School of Computer Scienceen
uws-etd.degree.disciplineComputer Scienceen
uws-etd.degree.grantorUniversity of Waterlooen
uws-etd.degreeMaster of Mathematicsen
uws-etd.embargo.terms0en
uws.contributor.advisorNagappan, Meiyappan
uws.contributor.affiliation1Faculty of Mathematicsen
uws.published.cityWaterlooen
uws.published.countryCanadaen
uws.published.provinceOntarioen
uws.typeOfResourceTexten
uws.peerReviewStatusUnrevieweden
uws.scholarLevelGraduateen


Files in this item

Thumbnail

This item appears in the following Collection(s)

Show simple item record


UWSpace

University of Waterloo Library
200 University Avenue West
Waterloo, Ontario, Canada N2L 3G1
519 888 4883

All items in UWSpace are protected by copyright, with all rights reserved.

DSpace software

Service outages