Automatically detecting software vulnerabilities in source code is an important problem that has attracted much attention. In particular, deep learning-based vulnerability detectors, or DL-based detectors, are attractive because they do not need human experts to define features or patterns of vulnerabilities. However, such detectors' robustness is unclear. In this paper, we initiate the study in this aspect by demonstrating that DL-based detectors are not robust against simple code transformations, dubbed attacks in this paper, as these transformations may be leveraged for malicious purposes. As a first step towards making DL-based detectors robust against such attacks, we propose an innovative framework, dubbed ZigZag, which is centered at (i) decoupling feature learning and classifier learning and (ii) using a ZigZag-style strategy to iteratively refine them until they converge to robust features and robust classifiers. Experimental results show that the ZigZag framework can substantially improve the robustness of DL-based detectors.

中文翻译：

---

使基于深度学习的漏洞检测器更加稳健

自动检测源代码中的软件漏洞是一个备受关注的重要问题。特别是，基于深度学习的漏洞检测器或基于 DL 的检测器很有吸引力，因为它们不需要人类专家来定义漏洞的特征或模式。然而，此类检测器的鲁棒性尚不清楚。在本文中，我们通过证明基于 DL 的检测器对简单代码转换（在本文中称为攻击）的鲁棒性不强来启动这方面的研究，因为这些转换可能被用于恶意目的。作为使基于 DL 的检测器能够抵御此类攻击的第一步，我们提出了一个名为 ZigZag 的创新框架，其中心是 (i) 将特征学习和分类器学习解耦，以及 (ii) 使用 ZigZag 风格的策略迭代地细化它们，直到它们收敛到鲁棒的特征和鲁棒的分类器。实验结果表明，ZigZag 框架可以显着提高基于 DL 的检测器的鲁棒性。