EXVul: Toward Effective and Explainable Vulnerability Detection for IoT Devices

As with anything connected to the Internet, Internet of Things (IoT) devices are also subject to severe cybersecurity threats because an adversary could exploit vulnerabilities in their internal software to perform malicious attacks. Despite the promising results of deep learning (DL)-based approach...

Full description

Saved in:
Bibliographic Details
Published inIEEE internet of things journal Vol. 11; no. 12; pp. 22385 - 22398
Main Authors Cao, Sicong, Sun, Xiaobing, Liu, Wei, Wu, Di, Zhang, Jiale, Li, Yan, Luan, Tom H., Gao, Longxiang
Format Journal Article
LanguageEnglish
Published Piscataway IEEE 15.06.2024
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Subjects
Codes
Combinatorial analysis
Contrastive learning
Contrastive learning (CL)
Cybersecurity
Deep learning
Detection algorithms
explainability
Internet of Things
Internet of Things (IoT)
Multiprotocol label switching
Reactive power
Self-supervised learning
stability
Stability analysis
Training
Online AccessGet full text

Cover

Abstract As with anything connected to the Internet, Internet of Things (IoT) devices are also subject to severe cybersecurity threats because an adversary could exploit vulnerabilities in their internal software to perform malicious attacks. Despite the promising results of deep learning (DL)-based approaches, the lack of well-labeled IoT vulnerability samples available for training and explainability pose a critical challenge to deploy them in practice. In this article, we propose EXVUL, a novel DL-based approach for Effective and eXplainable IoT VULnerability detection. Specifically, inspired by recent advances of self-supervised learning in label-expensive tasks, we propose a new combinatorial contrastive loss to combine the strengths of large-scale unlabeled code corpus and limited IoT vulnerability samples. Then, given a binary detection result, EXVUL provides a set of faithful and stable code statements positively contributing to the model's predictions as understandable explanations. Experimental results indicate that EXVUL outperforms state-of-the-art baselines by 33.44%-72.91% and 19.52%-98.78% with respect to the accuracy and F1 score metrics, respectively. For vulnerability explanation, EXVUL improves over the best-performing baseline explainer PGExplainer by 22.97% in mean statement precision, 49.55% in mean statement recall, and 48.40% in mean intersection over union, demonstrating that the explanations provided by EXVUL can correctly point out the vulnerable statements relevant to the detected vulnerabilities.
AbstractList As with anything connected to the Internet, Internet of Things (IoT) devices are also subject to severe cybersecurity threats because an adversary could exploit vulnerabilities in their internal software to perform malicious attacks. Despite the promising results of deep learning (DL)-based approaches, the lack of well-labeled IoT vulnerability samples available for training and explainability pose a critical challenge to deploy them in practice. In this article, we propose EXVUL, a novel DL-based approach for Effective and eXplainable IoT VULnerability detection. Specifically, inspired by recent advances of self-supervised learning in label-expensive tasks, we propose a new combinatorial contrastive loss to combine the strengths of large-scale unlabeled code corpus and limited IoT vulnerability samples. Then, given a binary detection result, EXVUL provides a set of faithful and stable code statements positively contributing to the model’s predictions as understandable explanations. Experimental results indicate that EXVUL outperforms state-of-the-art baselines by 33.44%-72.91% and 19.52%-98.78% with respect to the accuracy and F1 score metrics, respectively. For vulnerability explanation, EXVUL improves over the best-performing baseline explainer PGExplainer by 22.97% in mean statement precision, 49.55% in mean statement recall, and 48.40% in mean intersection over union, demonstrating that the explanations provided by EXVUL can correctly point out the vulnerable statements relevant to the detected vulnerabilities.
Author Luan, Tom H.
Liu, Wei
Li, Yan
Gao, Longxiang
Zhang, Jiale
Sun, Xiaobing
Wu, Di
Cao, Sicong
Author_xml – sequence: 1
  givenname: Sicong
  orcidid: 0000-0003-3688-4437
  surname: Cao
  fullname: Cao, Sicong
  email: dx120210088@yzu.edu.cn
  organization: School of Information Engineering, Yangzhou University, Yangzhou, China
– sequence: 2
  givenname: Xiaobing
  orcidid: 0000-0001-5165-5080
  surname: Sun
  fullname: Sun, Xiaobing
  email: xbsun@yzu.edu.cn
  organization: School of Information Engineering, Yangzhou University, Yangzhou, China
– sequence: 3
  givenname: Wei
  orcidid: 0000-0001-8503-4063
  surname: Liu
  fullname: Liu, Wei
  email: weiliu@yzu.edu.cn
  organization: School of Information Engineering, Yangzhou University, Yangzhou, China
– sequence: 4
  givenname: Di
  orcidid: 0000-0002-4753-8161
  surname: Wu
  fullname: Wu, Di
  email: di.wu@unisq.edu.au
  organization: School of Mathematics, Physics and Computing, University of Southern Queensland, Toowoomba, QLD, Australia
– sequence: 5
  givenname: Jiale
  orcidid: 0000-0002-2143-5666
  surname: Zhang
  fullname: Zhang, Jiale
  email: jialezhang@yzu.edu.cn
  organization: School of Information Engineering, Yangzhou University, Yangzhou, China
– sequence: 6
  givenname: Yan
  orcidid: 0000-0002-4694-4926
  surname: Li
  fullname: Li, Yan
  email: yan.li@unisq.edu.au
  organization: School of Mathematics, Physics and Computing, University of Southern Queensland, Toowoomba, QLD, Australia
– sequence: 7
  givenname: Tom H.
  orcidid: 0000-0002-5215-7443
  surname: Luan
  fullname: Luan, Tom H.
  email: tom.luan@xidian.edu.cn
  organization: School of Cyber Engineering, Xidian University, Xi'an, China
– sequence: 8
  givenname: Longxiang
  orcidid: 0000-0002-3026-7537
  surname: Gao
  fullname: Gao, Longxiang
  email: gaolx@sdas.org
  organization: School of Mathematics, Physics and Computing, University of Southern Queensland, Toowoomba, QLD, Australia
BookMark eNpNkMtKw0AUhgepYK19AMFFwHXq3JO4k1q1UugmirthMjkDU2KmTtJq394J7aKrc-H7z4HvGo1a3wJCtwTPCMHFw_tyXc4opnzGWE4kJxdoTBnNUi4lHZ31V2jadRuMcYwJUsgxWi--PnfNY1L6Xx3qZGEtmN7tIdFtnP62jXatrhpIItVC0JVrXH9InqEfON8m1odk6cu42TsD3Q26tLrpYHqqE_Txsijnb-lq_bqcP61SQ7nsU2GKmmnMKlHVmuiMVbXUhaE1t4znwGuoqCSM6JxZEyduZSaEyZkAa8ByNkH3x7vb4H920PVq43ehjS8Vw1JwKWSWR4ocKRN81wWwahvctw4HRbAa1KlBnRrUqZO6mLk7ZhwAnPE8K4jI2T-DRWwl
CODEN IITJAU
Cites_doi 10.1145/3379597.3387501
10.1145/3524842.3528452
10.1145/3510003.3510219
10.1109/TDSC.2022.3199769
10.1016/j.knosys.2023.110841
10.1109/ICSE48619.2023.00022
10.1109/TSE.2021.3087402
10.1145/3597926.3598145
10.1109/TSE.2018.2881961
10.1145/3468264.3468545
10.1016/j.infsof.2021.106576
10.1109/TSE.2023.3305244
10.1109/ICSE48619.2023.00044
10.1109/TSE.2023.3285910
10.1109/icse48619.2023.00188
10.1109/TASLP.2023.3297964
10.1109/ICSE48619.2023.00089
10.1109/TDSC.2021.3051525
10.1109/32.988498
10.1016/j.jisa.2023.103467
10.1109/TR.2023.3319318
10.1109/TPAMI.2021.3115452
10.1145/3624744
10.1145/2939672.2939754
10.1109/SP46215.2023.10179377
10.1109/TDSC.2022.3192419
10.1109/TNNLS.2020.2978386
10.5555/3524938.3525087
10.1016/j.cosrev.2021.100389
10.1109/TIFS.2020.3044773
10.1145/3436877
10.1109/EuroSP48549.2020.00018
10.1145/3540250.3549162
10.1109/JIOT.2021.3106898
10.1145/3611643.3616358
10.18653/v1/2021.emnlp-main.482
10.48550/arXiv.1310.4546
10.14722/ndss.2018.23158
10.1145/3468264.3468597
10.1109/SP.2014.44
10.1145/3524842.3527949
ContentType Journal Article
Copyright Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2024
Copyright_xml – notice: Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2024
DBID 97E
RIA
RIE
AAYXX
CITATION
7SC
8FD
JQ2
L7M
L~C
L~D
DOI 10.1109/JIOT.2024.3381641
DatabaseName IEEE Xplore (IEEE)
IEEE All-Society Periodicals Package (ASPP) 1998–Present
IEEE Electronic Library (IEL)
CrossRef
Computer and Information Systems Abstracts
Technology Research Database
ProQuest Computer Science Collection
Advanced Technologies Database with Aerospace
Computer and Information Systems Abstracts – Academic
Computer and Information Systems Abstracts Professional
DatabaseTitle CrossRef
Computer and Information Systems Abstracts
Technology Research Database
Computer and Information Systems Abstracts – Academic
Advanced Technologies Database with Aerospace
ProQuest Computer Science Collection
Computer and Information Systems Abstracts Professional
DatabaseTitleList Computer and Information Systems Abstracts
Database_xml – sequence: 1
  dbid: RIE
  name: IEEE Electronic Library (IEL)
  url: https://proxy.k.utb.cz/login?url=https://ieeexplore.ieee.org/
  sourceTypes: Publisher
DeliveryMethod fulltext_linktorsrc
Discipline Computer Science
EISSN 2327-4662
EndPage 22398
ExternalDocumentID 10_1109_JIOT_2024_3381641
10479158
Genre orig-research
GrantInformation_xml – fundername: National Natural Science Foundation of China
  grantid: 62206238
  funderid: 10.13039/501100001809
– fundername: Postgraduate Research and Practice Innovation Program of Jiangsu Province
  grantid: KYCX22_3502
– fundername: Jiangsu “333” Project and Yangzhou University Top-Level Talents Support Program (2019)
– fundername: Six Talent Peaks Project in Jiangsu Province
  grantid: RJFW-053
  funderid: 10.13039/501100010014
– fundername: China Postdoctoral Science Foundation
  grantid: 2023M732985
  funderid: 10.13039/501100002858
– fundername: China Scholarship Council Foundation
  grantid: 202308320436
  funderid: 10.13039/501100004543
– fundername: State Key Laboratory of Massive Personalized Customization System and Technology
  grantid: H&C-MPC-2023-02-05
– fundername: Natural Science Foundation of Jiangsu Province
  grantid: BK20220562
  funderid: 10.13039/501100004608
GroupedDBID 0R~
6IK
97E
AAJGR
AARMG
AASAJ
AAWTH
ABAZT
ABJNI
ABQJQ
ABVLG
AGQYO
AHBIQ
AKJIK
AKQYR
ALMA_UNASSIGNED_HOLDINGS
ATWAV
BEFXN
BFFAM
BGNUA
BKEBE
BPEOZ
EBS
IFIPE
IPLJI
JAVBF
M43
OCL
PQQKQ
RIA
RIE
AAYXX
CITATION
7SC
8FD
JQ2
L7M
L~C
L~D
ID FETCH-LOGICAL-c246t-5c9d3a03b5bda1a73bd6a9c2d4f348e4deb26131a83fc4de4f6755c835efcef43
IEDL.DBID RIE
ISSN 2327-4662
IngestDate Sun Jun 29 12:36:14 EDT 2025
Tue Jul 01 00:38:06 EDT 2025
Wed Aug 27 01:53:53 EDT 2025
IsPeerReviewed false
IsScholarly true
Issue 12
Language English
License https://ieeexplore.ieee.org/Xplorehelp/downloads/license-information/IEEE.html
https://doi.org/10.15223/policy-029
https://doi.org/10.15223/policy-037
LinkModel DirectLink
MergedId FETCHMERGED-LOGICAL-c246t-5c9d3a03b5bda1a73bd6a9c2d4f348e4deb26131a83fc4de4f6755c835efcef43
Notes ObjectType-Article-1
SourceType-Scholarly Journals-1
ObjectType-Feature-2
content type line 14
ORCID 0000-0003-3688-4437
0000-0002-5215-7443
0000-0001-5165-5080
0000-0001-8503-4063
0000-0002-3026-7537
0000-0002-4753-8161
0000-0002-4694-4926
0000-0002-2143-5666
PQID 3065465678
PQPubID 2040421
PageCount 14
ParticipantIDs proquest_journals_3065465678
crossref_primary_10_1109_JIOT_2024_3381641
ieee_primary_10479158
ProviderPackageCode CITATION
AAYXX
PublicationCentury 2000
PublicationDate 2024-06-15
PublicationDateYYYYMMDD 2024-06-15
PublicationDate_xml – month: 06
  year: 2024
  text: 2024-06-15
  day: 15
PublicationDecade 2020
PublicationPlace Piscataway
PublicationPlace_xml – name: Piscataway
PublicationTitle IEEE internet of things journal
PublicationTitleAbbrev JIoT
PublicationYear 2024
Publisher IEEE
The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
Publisher_xml – name: IEEE
– name: The Institute of Electrical and Electronics Engineers, Inc. (IEEE)
References ref13
ref56
ref15
Cao (ref18) 2024
ref14
ref53
ref52
ref11
ref55
ref54
(ref2) 2023
(ref10) 2023
ref16
Zhou (ref12)
Fout (ref25)
Luo (ref28)
ref51
ref50
ref46
ref45
ref48
ref47
ref42
ref41
ref44
ref49
ref7
ref4
ref3
Khosla (ref35)
(ref1) 2023
ref6
Velickovic (ref34)
ref5
ref40
Husain (ref43) 2019
ref37
ref36
ref31
ref30
ref33
ref32
ref39
Li (ref38)
Dam (ref17)
(ref8) 2023
ref24
ref23
ref26
ref20
ref22
ref21
ref27
ref29
Ying (ref19)
(ref9) 2023
References_xml – ident: ref37
  doi: 10.1145/3379597.3387501
– ident: ref53
  doi: 10.1145/3524842.3528452
– ident: ref47
  doi: 10.1145/3510003.3510219
– ident: ref54
  doi: 10.1109/TDSC.2022.3199769
– ident: ref26
  doi: 10.1016/j.knosys.2023.110841
– ident: ref15
  doi: 10.1109/ICSE48619.2023.00022
– ident: ref13
  doi: 10.1109/TSE.2021.3087402
– start-page: 9240
  volume-title: Proc. 33rd Annu. Conf. Neural Inf. Process. Syst.
  ident: ref19
  article-title: GNNexplainer: Generating explanations for graph neural networks
– ident: ref20
  doi: 10.1145/3597926.3598145
– ident: ref6
  doi: 10.1109/TSE.2018.2881961
– ident: ref55
  doi: 10.1145/3468264.3468545
– start-page: 10197
  volume-title: Proc. 33rd Annu. Conf. Neural Inf. Process. Syst. (NeurIPS)
  ident: ref12
  article-title: Devign: Effective vulnerability identification by learning comprehensive program semantics via graph neural networks
– ident: ref7
  doi: 10.1016/j.infsof.2021.106576
– ident: ref44
  doi: 10.1109/TSE.2023.3305244
– start-page: 53
  volume-title: Proc. 40th Int. Conf. Softw. Eng., New Ideas Emerg. Results
  ident: ref17
  article-title: Explainable software analytics
– ident: ref49
  doi: 10.1109/ICSE48619.2023.00044
– volume-title: State of IoT—Spring 2023
  year: 2023
  ident: ref1
– start-page: 19620
  volume-title: Proc. 34th Annu. Conf. Neural Inf. Process. Syst.
  ident: ref28
  article-title: Parameterized explainer for graph neural network
– volume-title: Checkmarx
  year: 2023
  ident: ref9
– ident: ref31
  doi: 10.1109/TSE.2023.3285910
– year: 2024
  ident: ref18
  article-title: A systematic literature review on explainability for machine/deep learning-based software engineering research
  publication-title: arXiv:2401.14617
– ident: ref16
  doi: 10.1109/icse48619.2023.00188
– ident: ref22
  doi: 10.1109/TASLP.2023.3297964
– start-page: 1
  volume-title: Proc. 4th Int. Conf. Learn. Represent. (ICLR)
  ident: ref38
  article-title: Gated graph sequence neural networks
– start-page: 1
  volume-title: Proc. 34th Annu. Conf. Neural Inf. Process. Syst.
  ident: ref35
  article-title: Supervised contrastive learning
– ident: ref45
  doi: 10.1109/ICSE48619.2023.00089
– ident: ref5
  doi: 10.1109/TDSC.2021.3051525
– ident: ref56
  doi: 10.1109/32.988498
– ident: ref36
  doi: 10.1016/j.jisa.2023.103467
– volume-title: Infer
  year: 2023
  ident: ref10
– ident: ref27
  doi: 10.1109/TR.2023.3319318
– ident: ref40
  doi: 10.1109/TPAMI.2021.3115452
– year: 2019
  ident: ref43
  article-title: CodeSearchNet challenge: Evaluating the state of semantic code search
  publication-title: arXiv:1909.09436
– ident: ref51
  doi: 10.1145/3624744
– start-page: 1
  volume-title: Proc. 6th Int. Conf. Learn. Represent. (ICLR)
  ident: ref34
  article-title: Graph attention networks
– ident: ref33
  doi: 10.1145/2939672.2939754
– ident: ref48
  doi: 10.1109/SP46215.2023.10179377
– ident: ref41
  doi: 10.1109/TDSC.2022.3192419
– ident: ref24
  doi: 10.1109/TNNLS.2020.2978386
– ident: ref21
  doi: 10.5555/3524938.3525087
– ident: ref3
  doi: 10.1016/j.cosrev.2021.100389
– ident: ref11
  doi: 10.1109/TIFS.2020.3044773
– start-page: 6533
  volume-title: Proc. 31st Annu. Conf. Neural Inf. Process. Syst.
  ident: ref25
  article-title: Protein interface prediction using graph convolutional networks
– ident: ref50
  doi: 10.1145/3436877
– ident: ref42
  doi: 10.1109/EuroSP48549.2020.00018
– ident: ref29
  doi: 10.1145/3540250.3549162
– ident: ref39
  doi: 10.1109/JIOT.2021.3106898
– ident: ref46
  doi: 10.1145/3611643.3616358
– volume-title: Internet of Things (IoT) security: Challenges and best practices
  year: 2023
  ident: ref2
– ident: ref23
  doi: 10.18653/v1/2021.emnlp-main.482
– volume-title: Flawfinder
  year: 2023
  ident: ref8
– ident: ref32
  doi: 10.48550/arXiv.1310.4546
– ident: ref4
  doi: 10.14722/ndss.2018.23158
– ident: ref14
  doi: 10.1145/3468264.3468597
– ident: ref30
  doi: 10.1109/SP.2014.44
– ident: ref52
  doi: 10.1145/3524842.3527949
SSID ssj0001105196
Score 2.3224535
Snippet As with anything connected to the Internet, Internet of Things (IoT) devices are also subject to severe cybersecurity threats because an adversary could...
SourceID proquest
crossref
ieee
SourceType Aggregation Database
Index Database
Publisher
StartPage 22385
SubjectTerms Codes
Combinatorial analysis
Contrastive learning
Contrastive learning (CL)
Cybersecurity
Deep learning
Detection algorithms
explainability
Internet of Things
Internet of Things (IoT)
Multiprotocol label switching
Reactive power
Self-supervised learning
stability
Stability analysis
Training
Title EXVul: Toward Effective and Explainable Vulnerability Detection for IoT Devices
URI https://ieeexplore.ieee.org/document/10479158
https://www.proquest.com/docview/3065465678
Volume 11
hasFullText 1
inHoldings 1
isFullTextHit
isPrint
link http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwjV07T8MwELZoJxbKo4hCQR6YkJLGtZ3EbAhatZVolxR1i_zKAkoRJAP8emzHES8hscWRnVh3tu_O990dAJeSM06kYEEciTQgscABx4kMmDTrichISRfHfb-MZ2uy2NCND1Z3sTBaawc-06F9dL58tZW1vSob2bQCDNG0AzrGcmuCtT4vVJDVRmLvuUQRGy3mq8xYgGMSYuseI-ib7HHFVH6dwE6sTHtg2U6oQZM8hnUlQvn-I1fjv2e8D_a8gglvmhVxAHZ0eQh6bfEG6PfyEVhNNg_10zXMHG4WNlmMzdEHeWla5lc-rAqaXjYztQPRvsE7XTnwVgmNtgvn28y8cYdNH6ynk-x2FvjqCoEck7gKqGQK8wgLKhRHPMFCxZzJsSIFJqkmytjcRtYjnuJCmhYpjG1BpdHYdCF1QfAx6JbbUp8AqCSmiqR0bDFvLMUccxELlHDr4-WJGICrlu75c5NEI3fGR8Ryy6TcMin3TBqAvqXjl44NCQdg2LIq9_vsNcdNNXcjcU__GHYGdu3XLboL0SHoVi-1Pjd6RCUu3Pr5APNCxgk
linkProvider IEEE
linkToHtml http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwzV3NTttAEB5ROLQXQluqpgTYQ3up5GB7dx1vJQ6IECWQhIupcnP3z5cipyqOKngXXoVn6-zaoRTEMRI321rb2p1Ps9_s_AF81lJIppUIklClAUsUDSTt6UBoxBPTodE-j3syTYYX7HTGZ2twe58LY631wWe26y69L9_M9cIdlR24sgIi4mkTQ3lmr_-ghXZ1OOqjOL_E8eAkOx4GTROBQMcsqQKuhaEypIorIyPZo8okUujYsIKy1DKDpiVuaZFMaaHxjhVIoblGYmILbQtG8buvYAOJBo_r9LB_RziR4z9J4yuNQnFwOjrP0OaMWZc6hxyL_tvtfPuWJzrfb2SDFtwtl6COX_nZXVSqq28eVYd8sWu0BZsNhSZHNebfwpot30Fr2Z6CNNrqPZyfzL4vLr-RzEcGk7pOMyp3Iku8w6k1iWMER7na2z5M-Jr0beXD00qCfJ6M5hk-8ep0Gy5WMq0PsF7OS_sRiNGUG5by2EX1iZRKKlWiop50XmzZU234upRz_qsuE5J78yoUuQNF7kCRN6Bow7aT24OBtcja0FlCI280yVVO6371yCk-PfPaPrweZpNxPh5Nz3bgjfuTi2WLeAfWq98Lu4usqVJ7HrsEfqwaCH8B3Ncmmg
openUrl ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=EXVul%3A+Toward+Effective+and+Explainable+Vulnerability+Detection+for+IoT+Devices&rft.jtitle=IEEE+internet+of+things+journal&rft.au=Cao%2C+Sicong&rft.au=Sun%2C+Xiaobing&rft.au=Liu%2C+Wei&rft.au=Wu%2C+Di&rft.date=2024-06-15&rft.issn=2327-4662&rft.eissn=2327-4662&rft.volume=11&rft.issue=12&rft.spage=22385&rft.epage=22398&rft_id=info:doi/10.1109%2FJIOT.2024.3381641&rft.externalDBID=n%2Fa&rft.externalDocID=10_1109_JIOT_2024_3381641
thumbnail_l http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/lc.gif&issn=2327-4662&client=summon
thumbnail_m http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/mc.gif&issn=2327-4662&client=summon
thumbnail_s http://covers-cdn.summon.serialssolutions.com/index.aspx?isbn=/sc.gif&issn=2327-4662&client=summon