Enhancing Software Security with AI: Detecting Vulnerabilities in High-Level Programming Languages
(2024) EITM01 20242Department of Electrical and Information Technology
- Abstract
- With the rapid growth of software dependencies in critical systems, detecting vulnerabilities early in the development cycle has become a necessity. While extensive research exists on vulnerability detection in low-level languages like C/C++, there is a significant gap in addressing vulnerabilities in higher-level languages, including JavaScript, Python, and PHP. This thesis explores the feasibility of using fine-tuned large language models (LLMs) to detect vulnerabilities in these higher level languages, leveraging data-driven approaches to bridge the existing research gap.
In this thesis we work with fine-tuning LLMs on a curated dataset derived from CVEFixes, implementing the model in an API format to facilitate integration into CI/CD... (More) - With the rapid growth of software dependencies in critical systems, detecting vulnerabilities early in the development cycle has become a necessity. While extensive research exists on vulnerability detection in low-level languages like C/C++, there is a significant gap in addressing vulnerabilities in higher-level languages, including JavaScript, Python, and PHP. This thesis explores the feasibility of using fine-tuned large language models (LLMs) to detect vulnerabilities in these higher level languages, leveraging data-driven approaches to bridge the existing research gap.
In this thesis we work with fine-tuning LLMs on a curated dataset derived from CVEFixes, implementing the model in an API format to facilitate integration into CI/CD pipelines. Key performance metrics, including accuracy, precision, and F1 score, reveal that the model achieved varying effectiveness across different languages, with strong results in JavaScript and Java but weaker results in PHP,
highlighting the nuanced challenges of vulnerability detection in diverse programming contexts. To demonstrate real-world applicability, the models proposed in this thesis were deployed through a user-friendly web interface, with API accessibility allowing seamless integration for developers.
In our discussion, we address the ethical and security implications of using AIdriven vulnerability detection, including potential misuse by malicious actors and over-reliance on automated findings. The findings suggest that while LLMs are promising for certain languages, further refinement is needed to improve accuracy and reliability across diverse high-level languages. Future work should explore hybrid models that combine traditional and AI-based detection to mitigate current limitations and enhance practical use in software security, and CWE-specific training for higher-level languages. (Less) - Popular Abstract
- Can Artificial Intelligence Help Stop Software Security Breaches?
Our reliance on digital devices and online platforms grows every day, and with it, the need for secure software. This thesis explores how AI could automate the detection of software vulnerabilities, with a focus on the languages behind today’s most common apps. Could a specialized AI tool help developers quickly find and fix weak spots in code before hackers can exploit them?
Across industries, from healthcare to finance, software security is crucial. Yet every day, news breaks of hackers who have exploited vulnerabilities in widely-used applications. While some vulnerabilities are found by cyber-security experts before they cause damage, many remain undetected and can... (More) - Can Artificial Intelligence Help Stop Software Security Breaches?
Our reliance on digital devices and online platforms grows every day, and with it, the need for secure software. This thesis explores how AI could automate the detection of software vulnerabilities, with a focus on the languages behind today’s most common apps. Could a specialized AI tool help developers quickly find and fix weak spots in code before hackers can exploit them?
Across industries, from healthcare to finance, software security is crucial. Yet every day, news breaks of hackers who have exploited vulnerabilities in widely-used applications. While some vulnerabilities are found by cyber-security experts before they cause damage, many remain undetected and can result in data breaches, system crashes, or worse. Detecting these weaknesses manually, or even with traditional software tools, can be difficult, time-consuming, and may miss new or complex vulnerabilities that AI could easily spot.
This thesis work aims to bridge that gap using artificial intelligence. The approach fine-tuned an advanced AI model, a large language model (LLM), on data specifically related to common software vulnerabilities. By “training” it on a wide range of real-world examples, this LLM can now recognize patterns of code that might indicate a security flaw — particularly in the high-level languages that power popular web and mobile applications.
Why AI in Security? The Potential for Broader, Faster Vulnerability Detection
AI models like LLMs have proven to be effective in understanding and generating human-like text, which makes them well-suited to understanding the structure and flow of programming code. In this thesis, an LLM is specially trained to detect vulnerabilities in languages such as JavaScript, Python, and Java. This is especially relevant because of the research gap in this subject. While traditional tools for vulnerability detection have made a huge impact on writing secure code, there is a lack of easily accessible, and automated vulnerability detection systems for developers to take advantage of.
Not only does this AI approach promise to detect vulnerabilities faster, but it can also provide a valuable extra line of defense for developers. Integrating this model into developers' workflow allows it to scan code in real-time, quickly flagging potential vulnerabilities, even if they occur in more complex or obscure areas of the code. This could mean that the AI scans code as developers write it, detecting vulnerabilities before deployment. (Less)
Please use this url to cite or link to this publication:
http://lup.lub.lu.se/student-papers/record/9178282
- author
- Dahlén, Kevin LU
- supervisor
- organization
- course
- EITM01 20242
- year
- 2024
- type
- H2 - Master's Degree (Two Years)
- subject
- report number
- LU/LTH-EIT 2024-1034
- language
- English
- id
- 9178282
- date added to LUP
- 2024-12-05 12:56:16
- date last changed
- 2024-12-05 12:56:16
@misc{9178282, abstract = {{With the rapid growth of software dependencies in critical systems, detecting vulnerabilities early in the development cycle has become a necessity. While extensive research exists on vulnerability detection in low-level languages like C/C++, there is a significant gap in addressing vulnerabilities in higher-level languages, including JavaScript, Python, and PHP. This thesis explores the feasibility of using fine-tuned large language models (LLMs) to detect vulnerabilities in these higher level languages, leveraging data-driven approaches to bridge the existing research gap. In this thesis we work with fine-tuning LLMs on a curated dataset derived from CVEFixes, implementing the model in an API format to facilitate integration into CI/CD pipelines. Key performance metrics, including accuracy, precision, and F1 score, reveal that the model achieved varying effectiveness across different languages, with strong results in JavaScript and Java but weaker results in PHP, highlighting the nuanced challenges of vulnerability detection in diverse programming contexts. To demonstrate real-world applicability, the models proposed in this thesis were deployed through a user-friendly web interface, with API accessibility allowing seamless integration for developers. In our discussion, we address the ethical and security implications of using AIdriven vulnerability detection, including potential misuse by malicious actors and over-reliance on automated findings. The findings suggest that while LLMs are promising for certain languages, further refinement is needed to improve accuracy and reliability across diverse high-level languages. Future work should explore hybrid models that combine traditional and AI-based detection to mitigate current limitations and enhance practical use in software security, and CWE-specific training for higher-level languages.}}, author = {{Dahlén, Kevin}}, language = {{eng}}, note = {{Student Paper}}, title = {{Enhancing Software Security with AI: Detecting Vulnerabilities in High-Level Programming Languages}}, year = {{2024}}, }