Harnessing Large Language Models for Software Vulnerability Detection: A Comprehensive Benchmarking Study

Karl Tamberg,Hayretdin Bahsi
2024-05-24
Abstract:Despite various approaches being employed to detect vulnerabilities, the number of reported vulnerabilities shows an upward trend over the years. This suggests the problems are not caught before the code is released, which could be caused by many factors, like lack of awareness, limited efficacy of the existing vulnerability detection tools or the tools not being user-friendly. To help combat some issues with traditional vulnerability detection tools, we propose using large language models (LLMs) to assist in finding vulnerabilities in source code. LLMs have shown a remarkable ability to understand and generate code, underlining their potential in code-related tasks. The aim is to test multiple state-of-the-art LLMs and identify the best prompting strategies, allowing extraction of the best value from the LLMs. We provide an overview of the strengths and weaknesses of the LLM-based approach and compare the results to those of traditional static analysis tools. We find that LLMs can pinpoint many more issues than traditional static analysis tools, outperforming traditional tools in terms of recall and F1 scores. The results should benefit software developers and security analysts responsible for ensuring that the code is free of vulnerabilities.
Cryptography and Security,Artificial Intelligence,Software Engineering
What problem does this paper attempt to address?
### Problems the Paper Attempts to Solve The paper aims to address several key issues in software vulnerability detection: 1. **Limitations of Existing Tools**: Despite the adoption of various methods to detect vulnerabilities, the number of reported vulnerabilities is on the rise. This indicates that many issues are not being discovered before the code is released. These problems may be caused by various factors, such as lack of awareness, limited effectiveness of existing vulnerability detection tools, or tools not being user-friendly enough. 2. **Improving Detection Efficiency and Accuracy**: Existing static analysis tools have high false positive rates or can only detect specific types of vulnerabilities. Dynamic analysis techniques face performance issues and are prone to missing problems. Therefore, a more effective method is needed to improve the accuracy and efficiency of vulnerability detection. 3. **Utilizing Large Language Models (LLMs)**: The paper proposes using large language models (LLMs) to assist in detecting vulnerabilities in source code. LLMs have shown excellent performance in understanding and generating code, with the potential to play a role in code-related tasks. By testing multiple state-of-the-art LLMs and identifying the best prompting strategies, the maximum value of LLMs can be extracted. 4. **Comprehensive Benchmarking**: The paper conducts a comprehensive benchmarking study, evaluating the performance of different LLMs and prompting strategies in vulnerability detection tasks, and comparing them with traditional static analysis tools. The goal is to identify the most effective LLM prompting strategies and analyze the advantages and disadvantages of LLMs compared to traditional tools. ### Main Research Questions 1. **Which prompting strategy is most successful when using LLMs to detect vulnerabilities?** 2. **What are the advantages and disadvantages of LLMs compared to existing static analysis tools?** 3. **How can off-the-shelf LLMs contribute to vulnerability detection in source code?** By answering these research questions, the paper hopes to provide practical recommendations for software developers and security analysts to more effectively utilize LLMs for vulnerability detection.