ResearchTrend.AI
477
1
v1v2v3v4 (latest)

Out of Distribution, Out of Luck: How Well Can LLMs Trained on Vulnerability Datasets Detect Top 25 CWE Weaknesses?

Yikun Li
Ngoc Tan Bui
Ting Zhang
Martin Weyssow
Chengran Yang
Xin Zhou
Jinfeng Jiang
Junkai Chen
Huihui Huang
Huu Hung Nguyen
Chiok Yew Ho
Jie Tan
Ruiyin Li
Yide Yin
Han Wei Ang
Frank Liauw
Eng Lieh Ouh
Lwin Khin Shar
David Lo
ArXiv (abs)PDFHTMLGithub (8★)
Main:11 Pages
12 Figures
Bibliography:1 Pages
6 Tables
Abstract

Automated vulnerability detection research has made substantial progress, yet its real-world impact remains limited. Current vulnerability datasets suffer from issues including label inaccuracy rates of 20-71%, extensive duplication, and poor coverage of critical CWE types. These issues create a significant "generalization gap" where models achieve misleading self-testing performance (measured on held-out data from same dataset for training) by exploiting spurious correlations rather than learning true vulnerability patterns. Our analysis reveals that many models experience substantial performance drops of up to 40.6% when evaluated on independent data, sometimes underperforming random guessing.

View on arXiv
Comments on this paper