SecureQwen: Leveraging LLMs for vulnerability detection in python codebases

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS Computers & Security Pub Date : 2024-10-15 DOI:10.1016/j.cose.2024.104151

Abdechakour Mechri , Mohamed Amine Ferrag , Merouane Debbah

{"title":"SecureQwen: Leveraging LLMs for vulnerability detection in python codebases","authors":"Abdechakour Mechri , Mohamed Amine Ferrag , Merouane Debbah","doi":"10.1016/j.cose.2024.104151","DOIUrl":null,"url":null,"abstract":"<div><div>Identifying vulnerabilities in software code is crucial for ensuring the security of modern systems. However, manual detection requires expert knowledge and is time-consuming, underscoring the need for automated techniques. In this paper, we present SecureQwen, a novel vulnerability detection tool leveraging large language models (LLMs) with a context length of 64K tokens to identify potential security threats in large-scale Python codebases. Utilizing a decoder-only transformer architecture, SecureQwen captures complex relationships between code tokens, enabling accurate classification of vulnerable code sequences across 14 common weakness enumerations (CWEs), including OS Command Injection, SQL Injection, Improper Check or Handling of Exceptional Conditions, Path Traversal, Broken or Risky Cryptographic Algorithm, Deserialization of Untrusted Data, and Cleartext Transmission of Sensitive Information. Therefore, we evaluate SecureQwen on a large Python dataset with over 1.875 million function-level code snippets from different sources, including GitHub repositories, Codeparrot’s dataset, and synthetic data generated by GPT4-o. The experimental evaluation demonstrates high accuracy, with F1 scores ranging from 84% to 99%. The results indicate that SecureQwen effectively detects vulnerabilities in human-written and AI-generated code.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"148 ","pages":"Article 104151"},"PeriodicalIF":4.8000,"publicationDate":"2024-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824004565","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Identifying vulnerabilities in software code is crucial for ensuring the security of modern systems. However, manual detection requires expert knowledge and is time-consuming, underscoring the need for automated techniques. In this paper, we present SecureQwen, a novel vulnerability detection tool leveraging large language models (LLMs) with a context length of 64K tokens to identify potential security threats in large-scale Python codebases. Utilizing a decoder-only transformer architecture, SecureQwen captures complex relationships between code tokens, enabling accurate classification of vulnerable code sequences across 14 common weakness enumerations (CWEs), including OS Command Injection, SQL Injection, Improper Check or Handling of Exceptional Conditions, Path Traversal, Broken or Risky Cryptographic Algorithm, Deserialization of Untrusted Data, and Cleartext Transmission of Sensitive Information. Therefore, we evaluate SecureQwen on a large Python dataset with over 1.875 million function-level code snippets from different sources, including GitHub repositories, Codeparrot’s dataset, and synthetic data generated by GPT4-o. The experimental evaluation demonstrates high accuracy, with F1 scores ranging from 84% to 99%. The results indicate that SecureQwen effectively detects vulnerabilities in human-written and AI-generated code.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

SecureQwen：利用 LLMs 检测 python 代码库中的漏洞

识别软件代码中的漏洞对于确保现代系统的安全性至关重要。然而，人工检测需要专家知识，而且耗时较长，这就凸显了对自动化技术的需求。在本文中，我们介绍了 SecureQwen，这是一种新颖的漏洞检测工具，它利用上下文长度为 64K 标记的大型语言模型（LLM）来识别大规模 Python 代码库中的潜在安全威胁。SecureQwen 利用仅解码器的转换器架构，捕捉代码标记之间的复杂关系，从而能够对 14 种常见弱点枚举（CWE）中的脆弱代码序列进行准确分类，包括操作系统命令注入、SQL 注入、异常情况的不当检查或处理、路径遍历、破损或有风险的加密算法、不受信任数据的反序列化以及敏感信息的明文传输。因此，我们在一个大型 Python 数据集上对 SecureQwen 进行了评估，该数据集包含超过 187.5 万个函数级代码片段，这些代码片段来自不同来源，包括 GitHub 代码库、Codeparrot 数据集和由 GPT4-o 生成的合成数据。实验评估结果表明，SecureQwen 的准确率很高，F1 分数从 84% 到 99% 不等。结果表明，SecureQwen 能有效检测人工编写和人工智能生成的代码中的漏洞。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.