Table of Contents
Fetching ...

AutoVulnPHP: LLM-Powered Two-Stage PHP Vulnerability Detection and Automated Localization

Zhiqiang Wang, Yizhong Ding, Zilong Xiao, Jinyu Lu, Yan Jia, Yanjun Li

TL;DR

AutoVulnPHP addresses the dual challenges of accurate vulnerability detection and precise localization in PHP, a language with extensive legacy code and semantic blind spots. It introduces a cascaded two-stage detector (SIFT-VulMiner for structure and SAFE-VulMiner for semantics) paired with an ISAL localization framework that constrains LLM-driven edits within safety and functional bounds. The PHPVD dataset (26,614 files, 5.2M LOC, seven vulnerability types) underpins training and evaluation, enabling strong detection (99.7% on public benchmarks) and localization (81% real-world success) and driving practical vulnerability discovery (429 new flaws, 351 CVEs). The work demonstrates that combining structural priors with semantic reasoning and constraint-guided localization yields scalable, reliable vulnerability analysis with tangible industry impact.

Abstract

PHP's dominance in web development is undermined by security challenges: static analysis lacks semantic depth, causing high false positives; dynamic analysis is computationally expensive; and automated vulnerability localization suffers from coarse granularity and imprecise context. Additionally, the absence of large-scale PHP vulnerability datasets and fragmented toolchains hinder real-world deployment. We present AutoVulnPHP, an end-to-end framework coupling two-stage vulnerability detection with fine-grained automated localization. SIFT-VulMiner (Structural Inference for Flaw Triage Vulnerability Miner) generates vulnerability hypotheses using AST structures enhanced with data flow. SAFE-VulMiner (Semantic Analysis for Flaw Evaluation Vulnerability Miner) verifies candidates through pretrained code encoder embeddings, eliminating false positives. ISAL (Incremental Sequence Analysis for Localization) pinpoints root causes via syntax-guided tracing, chain-of-thought LLM inference, and causal consistency checks to ensure precision. We contribute PHPVD, the first large-scale PHP vulnerability dataset with 26,614 files (5.2M LOC) across seven vulnerability types. On public benchmarks and PHPVD, AutoVulnPHP achieves 99.7% detection accuracy, 99.5% F1 score, and 81.0% localization rate. Deployed on real-world repositories, it discovered 429 previously unknown vulnerabilities, 351 assigned CVE identifiers, validating its practical effectiveness.

AutoVulnPHP: LLM-Powered Two-Stage PHP Vulnerability Detection and Automated Localization

TL;DR

AutoVulnPHP addresses the dual challenges of accurate vulnerability detection and precise localization in PHP, a language with extensive legacy code and semantic blind spots. It introduces a cascaded two-stage detector (SIFT-VulMiner for structure and SAFE-VulMiner for semantics) paired with an ISAL localization framework that constrains LLM-driven edits within safety and functional bounds. The PHPVD dataset (26,614 files, 5.2M LOC, seven vulnerability types) underpins training and evaluation, enabling strong detection (99.7% on public benchmarks) and localization (81% real-world success) and driving practical vulnerability discovery (429 new flaws, 351 CVEs). The work demonstrates that combining structural priors with semantic reasoning and constraint-guided localization yields scalable, reliable vulnerability analysis with tangible industry impact.

Abstract

PHP's dominance in web development is undermined by security challenges: static analysis lacks semantic depth, causing high false positives; dynamic analysis is computationally expensive; and automated vulnerability localization suffers from coarse granularity and imprecise context. Additionally, the absence of large-scale PHP vulnerability datasets and fragmented toolchains hinder real-world deployment. We present AutoVulnPHP, an end-to-end framework coupling two-stage vulnerability detection with fine-grained automated localization. SIFT-VulMiner (Structural Inference for Flaw Triage Vulnerability Miner) generates vulnerability hypotheses using AST structures enhanced with data flow. SAFE-VulMiner (Semantic Analysis for Flaw Evaluation Vulnerability Miner) verifies candidates through pretrained code encoder embeddings, eliminating false positives. ISAL (Incremental Sequence Analysis for Localization) pinpoints root causes via syntax-guided tracing, chain-of-thought LLM inference, and causal consistency checks to ensure precision. We contribute PHPVD, the first large-scale PHP vulnerability dataset with 26,614 files (5.2M LOC) across seven vulnerability types. On public benchmarks and PHPVD, AutoVulnPHP achieves 99.7% detection accuracy, 99.5% F1 score, and 81.0% localization rate. Deployed on real-world repositories, it discovered 429 previously unknown vulnerabilities, 351 assigned CVE identifiers, validating its practical effectiveness.
Paper Structure (24 sections, 5 equations, 9 figures, 5 tables, 4 algorithms)

This paper contains 24 sections, 5 equations, 9 figures, 5 tables, 4 algorithms.

Figures (9)

  • Figure 1: Illustration of the Data Augmentation Process. The workflow transforms original PHP samples through annotation removal and code obfuscation to enhance model robustness.
  • Figure 2: Overview of the proposed framework.
  • Figure 3: Flowchart of Vulnerability Mining Dataset Collection.
  • Figure 4: Detection performance on PHPVD for different LLM encoder and neural classifier combinations.
  • Figure 5: Accuracy improvements from data preprocessing and risk-aware attention across LLM and classifier combinations.
  • ...and 4 more figures