EXVUL: Towards Effective and Explainable Vulnerability Detection for IoT Devices

As with anything connected to the internet, Internet of Things (IoT) devices are also subject to severe cybersecurity threats because an adversary could exploit vulnerabilities in their internal software to perform malicious attacks. Despite the promising results of Deep Learning (DL)-based approaches, the lack of well-labeled IoT vulnerability samples available for training and explainability pose a critical challenge to deploy them in practice. In this paper, we propose, a novel DL-based approach for Effective and eXplainable IoT VULnerability detection. Specifically, inspired by recent advances of self-supervised learning in label-expensive tasks, we propose a new combinatorial contrastive loss to combine the strengths of large-scale unlabeled code corpus and limited IoT vulnerability samples. Then, given a binary detection result, provides a set of faithful and stable code statements positively contributing to the model’s predictions as understandable explanations. Experimental results indicate that outperforms state-of-the-art baselines by 33.44%-72.91% and 19.52%-98.78% with respect to the accuracy and F1 score metrics, respectively. For vulnerability explanation, improves over the best-performing baseline explainer PGExplainer by 22.97% in MSP, 49.55% in MSR, and 48.40% in MIoU, demonstrating that the explanations provided by can correctly point out the vulnerable statements relevant to the detected vulnerabilities.