Multilevel Semantic Embedding of Software Patches: A Fine-to-Coarse Grained Approach Towards Security Patch Detection

The growth of open-source software has increased the risk of hidden
vulnerabilities that can affect downstream software applications. This concern
is further exacerbated by software vendors' practice of silently releasing
security patches without explicit warnings or common vulnerability and exposure
(CVE) notifications. This lack of transparency leaves users unaware of
potential security threats, giving attackers an opportunity to take advantage
of these vulnerabilities. In the complex landscape of software patches,
grasping the nuanced semantics of a patch is vital for ensuring secure software
maintenance. To address this challenge, we introduce a multilevel Semantic
Embedder for security patch detection, termed MultiSEM. This model harnesses
word-centric vectors at a fine-grained level, emphasizing the significance of
individual words, while the coarse-grained layer adopts entire code lines for
vector representation, capturing the essence and interrelation of added or
removed lines. We further enrich this representation by assimilating patch
descriptions to obtain a holistic semantic portrait. This combination of
multi-layered embeddings offers a robust representation, balancing word
complexity, understanding code-line insights, and patch descriptions.
Evaluating MultiSEM for detecting patch security, our results demonstrate its
superiority, outperforming state-of-the-art models with promising margins: a
22.46\% improvement on PatchDB and a 9.21\% on SPI-DB in terms of the F1
metric.