Leveraging Large Language Models for Automated Software Vulnerability Detection

Traditional methods for identifying software vulnerabilities are often labor-intensive and prone to human error. This paper explores the effectiveness of fine-tuned large language models (LLMs) in automatically detecting and categorizing common software vulnerabilities in source code. Our experimental results demonstrate promising accuracy and efficiency, suggesting a significant potential for improving software security pipelines.

Manual software vulnerability detection is unscalable, while traditional automated tools (SAST) suffer from high false positive rates and fail to capture semantic logic flaws, leading to 'alert fatigue' among developers.

The authors utilized a dataset of C/C++ and Java functions labeled with vulnerabilities (from BigVul). They fine-tuned a CodeLlama-13B model using LoRA (Low-Rank Adaptation) for efficiency. They introduced a retrieval-augmented generation (RAG) pipeline where the model queries a database of vulnerability patterns before making a prediction. Performance was measured using Accuracy, Precision, Recall, and F1-score against baselines like CodeQL and GraphCodeBERT.

The proposed LLM-based method achieved an F1-score of 82.5% on the test set, outperforming CodeBERT (76%) and standard static analysis tools (~60%). The RAG component increased the detection of rare vulnerability types by 18%. However, the model struggled with inter-procedural vulnerabilities that spanned multiple files due to context window limits.

The paper presents a solid advancement in applying Generative AI to security. However, it glosses over the 'explanation hallucination' problem, where the model correctly identifies a bug but gives the wrong reason, leading developers astray. The reliance on Python/C++ datasets leaves a gap for other languages. The comparison with SAST is slightly unfair as SAST tools are deterministic and rule-based, whereas LLMs are probabilistic; a true production system needs both.