Abstract:The rapid expansion of software systems and the growing number of reported vulnerabilities have emphasized the importance of accurately identifying vulnerable code segments. Traditional methods for vulnerability localization, such as manual code audits or rule-based tools, are often time-consuming and limited in scope, typically focusing on specific programming languages or types of vulnerabilities. In recent years, the introduction of large language models (LLMs) such as GPT and LLaMA has opened new possibilities for automating vulnerability detection. However, while LLMs show promise in this area, they face challenges, particularly in maintaining accuracy over longer code contexts. This paper introduces LOVA, a novel framework leveraging the self-attention mechanisms inherent in LLMs to enhance vulnerability localization. Our key insight is that self-attention mechanisms assign varying importance to different parts of the input, making it possible to track how much attention the model focuses on specific lines of code. In the context of vulnerability localization, the hypothesis is that vulnerable lines of code will naturally attract higher attention weights because they have a greater influence on the model's output. By systematically tracking changes in attention weights and focusing on specific lines of code, LOVA improves the precision of identifying vulnerable lines across various programming languages. Through rigorous experimentation and evaluation, we demonstrate that LOVA significantly outperforms existing LLM-based approaches, achieving up to a 5.3x improvement in F1-scores. LOVA also demonstrated strong scalability, with up to a 14.6x improvement in smart contract vulnerability localization across languages like C, Python, Java, and Solidity. Its robustness was proven through consistent performance across different LLM architectures.

What problem does this paper attempt to address?

The problem that this paper attempts to solve is to accurately locate code vulnerabilities in large - scale software systems. With the rapid expansion of software systems and the increasing number of reported vulnerabilities, it has become especially important to accurately identify vulnerable code segments. Traditional methods, such as manual code auditing or rule - based tools, are effective but time - consuming and have limited scope, usually only focusing on specific programming languages or types of vulnerabilities. In recent years, the introduction of large - language models (LLMs) such as GPT and LLaMA has opened up new possibilities for automated vulnerability detection. However, although LLMs have shown potential in this field, their accuracy drops significantly when dealing with longer code contexts, which limits their effectiveness in practical applications. To solve these problems, this paper proposes a new framework named LOVA, which utilizes the self - attention mechanism in LLMs to enhance the accuracy of vulnerability location. The main contributions of the paper include: 1. **Discovering the effectiveness of the self - attention mechanism**: By tracking the changes in self - attention weights, specific lines of code that may contain vulnerabilities can be identified. 2. **Designing and implementing the LOVA framework**: The key technologies of LOVA include line - index - based prompt design to prevent confusion in large - scale code contexts; dimension - reduction techniques to simplify large - scale attention outputs; and using attention - map - difference evaluation to assess the impact of focusing on specific lines. In addition, a language - aware deep - learning model is used to enable the method to be generalized across multiple programming languages. 3. **Demonstrating the superior performance of LOVA**: LOVA significantly outperforms traditional LLM methods in multiple programming languages and benchmark tests, especially in long - code contexts. Through these innovations, LOVA not only improves the precision and recall rate of vulnerability location but also shows good adaptability and robustness across different programming languages and code lengths.

Attention Is All You Need for LLM-based Code Vulnerability Localization

An Empirical Study of Automated Vulnerability Localization with Large Language Models

Understanding the Effectiveness of Large Language Models in Detecting Security Vulnerabilities

Outside the Comfort Zone: Analysing LLM Capabilities in Software Vulnerability Detection

Harnessing the Power of LLMs in Source Code Vulnerability Detection

Software Vulnerability and Functionality Assessment using LLMs

Multitask-based Evaluation of Open-Source LLM on Software Vulnerability

Towards Effectively Detecting and Explaining Vulnerabilities Using Large Language Models

Harnessing Large Language Models for Software Vulnerability Detection: A Comprehensive Benchmarking Study

How Far Have We Gone in Vulnerability Detection Using Large Language Models

Large Language Models for Secure Code Assessment: A Multi-Language Empirical Study

Effective Vulnerable Function Identification Based on CVE Description Empowered by Large Language Models

VulnLLMEval: A Framework for Evaluating Large Language Models in Software Vulnerability Detection and Patching

VulDetectBench: Evaluating the Deep Capability of Vulnerability Detection with Large Language Models

Generalization-Enhanced Code Vulnerability Detection via Multi-Task Instruction Fine-Tuning

LLbezpeky: Leveraging Large Language Models for Vulnerability Detection

Investigating Large Language Models for Code Vulnerability Detection: An Experimental Study

LLM4Vuln: A Unified Evaluation Framework for Decoupling and Enhancing LLMs' Vulnerability Reasoning

Vul-LMGNNs: Fusing Language Models and Online-Distilled Graph Neural Networks for Code Vulnerability Detection

LProtector: An LLM-driven Vulnerability Detection System