Recent advances in automated vulnerability detection have achieved potential results in helping developers determine vulnerable components. However, after detecting vulnerabilities, investigating to fix vulnerable code is a non-trivial task. In fact, the types of vulnerability, such as buffer overflow or memory corruption, could help developers quickly understand the nature of the weaknesses and localize vulnerabilities for security analysis. In this work, we investigate the problem of vulnerability type identification (VTI). The problem is modeled as the multi-label classification task, which could be effectively addressed by "pre-training, then fine-tuning" framework with deep pre-trained embedding models. We evaluate the performance of the well-known and advanced pre-trained models for VTI on a large set of vulnerabilities. Surprisingly, their performance is not much better than that of the classical baseline approach with an old-fashioned bag-of-word, TF-IDF. Meanwhile, these deep neural network approaches cost much more resources and require GPU. We also introduce a lightweight independent component to refine the predictions of the baseline approach. Our idea is that the types of vulnerabilities could strongly correlate to certain code tokens (distinguishing tokens) in several crucial parts of programs. The distinguishing tokens for each vulnerability type are statistically identified based on their prevalence in the type versus the others. Our results show that the baseline approach enhanced by our component can outperform the state-of-the-art deep pre-trained approaches while retaining very high efficiency. Furthermore, the proposed component could also improve the neural network approaches by up to 92.8% in macro-average F1.

翻译：近期自动化漏洞检测领域的进展在帮助开发者识别脆弱组件方面取得了潜在成果。然而，在检测到漏洞后，修复脆弱代码的调研工作并非易事。事实上，漏洞类型（如缓冲区溢出或内存损坏）能够帮助开发者快速理解缺陷本质，并定位漏洞以进行安全分析。本研究聚焦漏洞类型识别问题，将其建模为多标签分类任务。该任务可通过“预训练-微调”框架结合深度预训练嵌入模型有效解决。我们在一组大规模漏洞数据集上评估了知名及先进预训练模型的VTI性能。令人惊讶的是，这些模型的性能并未显著优于使用传统词袋模型TF-IDF的经典基线方法。与此同时，深度神经网络方法消耗更多资源且依赖GPU硬件。我们引入了一个轻量级独立组件来优化基线方法的预测结果。核心思路在于：某些关键程序片段中的代码标记（区分性标记）可能与特定漏洞类型存在强关联。通过统计各类型中标记的分布差异，可识别出每类漏洞的区分性标记。实验结果表明：经本组件增强的基线方法在保持极高效率的同时，性能超越了当前最先进的深度预训练方法。此外，所提组件还能将神经网络方法的宏平均F1值提升高达92.8%。