Software vulnerabilities (SVs) have become a common, serious, and crucial concern to safety-critical security systems. That leads to significant progress in the use of AI-based methods for software vulnerability detection (SVD). In practice, although AI-based methods have been achieving promising performances in SVD and other domain applications (e.g., computer vision), they are well-known to fail in detecting the ground-truth label of input data (referred to as out-of-distribution, OOD, data) lying far away from the training data distribution (i.e., in-distribution, ID). This drawback leads to serious issues where the models fail to indicate when they are likely mistaken. To address this problem, OOD detectors (i.e., determining whether an input is ID or OOD) have been applied before feeding the input data to the downstream AI-based modules. While OOD detection has been widely designed for computer vision and medical diagnosis applications, automated AI-based techniques for OOD source code data detection have not yet been well-studied and explored. To this end, in this paper, we propose an innovative deep learning-based approach addressing the OOD source code data identification problem. Our method is derived from an information-theoretic perspective with the use of innovative cluster-contrastive learning to effectively learn and leverage source code characteristics, enhancing data representation learning for solving the problem. The rigorous and comprehensive experiments on real-world source code datasets show the effectiveness and advancement of our approach compared to state-of-the-art baselines by a wide margin. In short, on average, our method achieves a significantly higher performance from around 15.27%, 7.39%, and 4.93% on the FPR, AUROC, and AUPR measures, respectively, in comparison with the baselines.

翻译：软件漏洞已成为安全关键系统普遍、严重且至关重要的问题。这推动了基于人工智能的方法在软件漏洞检测领域的显著进展。在实践中，尽管基于AI的方法在SVD及其他领域应用（如计算机视觉）中取得了良好性能，但公认其在检测远离训练数据分布（即分布内数据）的输入数据（称为分布外,OOD,数据）的真实标签时存在失效问题。这一缺陷导致模型无法在可能出错时做出提示，从而引发严重问题。为解决此问题，OOD检测器（即判定输入属于ID还是OOD）被应用于下游AI模块之前的数据输入环节。虽然OOD检测已广泛应用于计算机视觉和医学诊断领域，但基于AI的自动化OOD源代码数据检测技术尚未得到充分研究和探索。为此，本文提出一种创新的深度学习方法来解决OOD源代码数据识别问题。我们的方法基于信息论视角，利用创新的聚类对比学习有效学习并利用源代码特征，增强数据表示学习能力以解决该问题。在真实世界源代码数据集上的严格全面实验表明，与当前最先进基线方法相比，我们的方法具有显著有效性和先进性。总体而言，与基线方法相比，我们的方法在FPR、AUROC和AUPR指标上平均分别提升了约15.27%、7.39%和4.93%。