Regarding computer security, the growth of code vulnerability types presents a persistent challenge. These vulnerabilities, which may cause severe consequences, necessitate precise classification for effective mitigation. However, the rapid emergence of new vulnerability types complicates the classification process. Traditional methodologies, which often involve human expertise and the manual labeling or generation of example instances, are not only resource-intensive but also struggle to adapt to the dynamic nature of these vulnerabilities. This article introduces VulnSense, an innovative method that harnesses the capabilities of Generalized Zero-Shot Learning (GZSL) to address the vulnerability classification problem. VulnSense learns about unseen vulnerability classes from the descriptions of these unseen classes, while not requiring to see any instances of these unseen classes. Specifically, VulnSense learns from three main resources: 1) seen classes with labeled code instances; 2) descriptions of these seen classes; and 3) descriptions of “unseen” classes which have no labeled instances. Our experiments underscore VulnSense's superiority over existing GZSL methods in classifying instances of unseen classes. Concurrently, it maintains a performance parity with traditional labeled-example based learning methods in classifying instances of seen vulnerabilities. VulnSense demonstrates the potential of using GZSL for vulnerability classification, while also highlighting challenges that inspire future work.
