Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Multitask-based Evaluation of Open-Source LLM on Software Vulnerability

Xin Yin, Chao Ni, Shaohua Wang

TL;DR

This paper presents a pipeline to quantitatively evaluate open-source LLMs on software vulnerability tasks using the Big-Vul dataset. It conducts a comprehensive, multi-task evaluation across vulnerability detection, vulnerability assessment, vulnerability location, and vulnerability description, comparing open-source LLMs against established baselines and pre-trained LMs under few-shot and fine-tuning settings. The results show that fine-tuned code-related LLMs often outperform pre-trained LMs in vulnerability assessment and location, while LLMs lag behind transformer-based approaches for detection, and vulnerability descriptions are hampered by output verbosity, which can be mitigated by post-processing. The authors release replication data and provide actionable insights for deploying LLMs in software vulnerability tasks, highlighting where LLMs offer value and what remains challenging.

Abstract

This paper proposes a pipeline for quantitatively evaluating interactive Large Language Models (LLMs) using publicly available datasets. We carry out an extensive technical evaluation of LLMs using Big-Vul covering four different common software vulnerability tasks. This evaluation assesses the multi-tasking capabilities of LLMs based on this dataset. We find that the existing state-of-the-art approaches and pre-trained Language Models (LMs) are generally superior to LLMs in software vulnerability detection. However, in software vulnerability assessment and location, certain LLMs (e.g., CodeLlama and WizardCoder) have demonstrated superior performance compared to pre-trained LMs, and providing more contextual information can enhance the vulnerability assessment capabilities of LLMs. Moreover, LLMs exhibit strong vulnerability description capabilities, but their tendency to produce excessive output significantly weakens their performance compared to pre-trained LMs. Overall, though LLMs perform well in some aspects, they still need improvement in understanding the subtle differences in code vulnerabilities and the ability to describe vulnerabilities to fully realize their potential. Our evaluation pipeline provides valuable insights into the capabilities of LLMs in handling software vulnerabilities.

Multitask-based Evaluation of Open-Source LLM on Software Vulnerability

TL;DR

This paper presents a pipeline to quantitatively evaluate open-source LLMs on software vulnerability tasks using the Big-Vul dataset. It conducts a comprehensive, multi-task evaluation across vulnerability detection, vulnerability assessment, vulnerability location, and vulnerability description, comparing open-source LLMs against established baselines and pre-trained LMs under few-shot and fine-tuning settings. The results show that fine-tuned code-related LLMs often outperform pre-trained LMs in vulnerability assessment and location, while LLMs lag behind transformer-based approaches for detection, and vulnerability descriptions are hampered by output verbosity, which can be mitigated by post-processing. The authors release replication data and provide actionable insights for deploying LLMs in software vulnerability tasks, highlighting where LLMs offer value and what remains challenging.

Abstract

This paper proposes a pipeline for quantitatively evaluating interactive Large Language Models (LLMs) using publicly available datasets. We carry out an extensive technical evaluation of LLMs using Big-Vul covering four different common software vulnerability tasks. This evaluation assesses the multi-tasking capabilities of LLMs based on this dataset. We find that the existing state-of-the-art approaches and pre-trained Language Models (LMs) are generally superior to LLMs in software vulnerability detection. However, in software vulnerability assessment and location, certain LLMs (e.g., CodeLlama and WizardCoder) have demonstrated superior performance compared to pre-trained LMs, and providing more contextual information can enhance the vulnerability assessment capabilities of LLMs. Moreover, LLMs exhibit strong vulnerability description capabilities, but their tendency to produce excessive output significantly weakens their performance compared to pre-trained LMs. Overall, though LLMs perform well in some aspects, they still need improvement in understanding the subtle differences in code vulnerabilities and the ability to describe vulnerabilities to fully realize their potential. Our evaluation pipeline provides valuable insights into the capabilities of LLMs in handling software vulnerabilities.
Paper Structure (22 sections, 8 figures, 14 tables)

This paper contains 22 sections, 8 figures, 14 tables.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Large Language Model
  4. Software Vulnerability
  5. Experimental Design
  6. Studied Dataset
  7. Studied LLMs
  8. Model Fine-Tuning
  9. Prompt Engineering
  10. Baselines
  11. Evaluation Metrics
  12. Implementation
  13. Experimental results
  14. RQ-1: Evaluating Vulnerability Detection of LLMs
  15. RQ-2: Evaluating Vulnerability Assessment of LLMs
  16. ...and 7 more sections

Figures (8)

  • Figure 1: The relationship among software vulnerability analysis activities
  • Figure 2: The capability comparison of LLMs with different parameter sizes on different software vulnerability tasks
  • Figure 3: Fine-tuning LLMs for software vulnerability tasks
  • Figure 4: The prompt contains three pieces of information: (1) task description, (2) source code, and (3) indicator
  • Figure 5: The impact of key important information on LLM Vulnerability Assessment (RQ2)
  • ...and 3 more figures