Conference:
International Joint Conference on Neural Networks (IJCNN)
21-26. June 2026, Maastricht, Netherlands
Authors:
Siavvas M, Kalouptsoglou I, Kehagias D, Tzovaras D.
Abstract:
The increasing integration of artificial intelligence (AI), and particularly machine learning (ML), into software intensive systems raises security concerns for AI/ML-specific code. Although AI-based vulnerability detection models (VDMs) achieve accurate prediction on contemporary software, their cross-domain effectiveness on AI/ML-specific software remains underexplored due to limited labeled data. To fill this gap, in this paper we aim to examine whether VDMs trained on contemporary software can accurately detect vulnerabilities in AI/ML-specific software as well, and to assess how domain adaptation can affect their performance. We construct a dataset of vulnerable and non-vulnerable Python functions split into contemporary and AI/ML-specific subsets, fine-tune CodeBERT and CodeGPT on the contemporary subset, and evaluate them on the AI/ML subset. We then perform gradual adaptation by adding 5%, 10%, 15%, 20%, 25%, 40%, and 50% target domain samples. We also analyze representation drift with UMAP and attention drift via self-attention-based explainability. Results suggest that AI-based VDMs built on contemporary software cannot be used effectively on AI/ML-specific software without proper domain adaptation, indicating that AI/ML-specific software exhibits unique characteristics; however, even a small moderate amount of domain-specific data can enable satisfactory cross-domain detection accuracy.
