Just-in-Time Detection of Silent Security Patches

TL;DR

This paper introduces LLMDA, a novel approach leveraging large language models and advanced representation learning to detect silent security patches in open-source code, improving timely identification and security response.

Contribution

The paper presents a new method combining LLMs, code-text alignment, label-wise training, and contrastive learning for high-precision silent security patch detection.

Findings

LLMDA outperforms state-of-the-art methods by 20% F-Measure on SPI-DB.

It effectively leverages LLMs for code change explanations.

The approach enhances security patch detection accuracy.

Abstract

Open-source code is pervasive. In this setting, embedded vulnerabilities are spreading to downstream software at an alarming rate. While such vulnerabilities are generally identified and addressed rapidly, inconsistent maintenance policies may lead security patches to go unnoticed. Indeed, security patches can be {\em silent}, i.e., they do not always come with comprehensive advisories such as CVEs. This lack of transparency leaves users oblivious to available security updates, providing ample opportunity for attackers to exploit unpatched vulnerabilities. Consequently, identifying silent security patches just in time when they are released is essential for preventing n-day attacks, and for ensuring robust and secure maintenance practices. With LLMDA we propose to (1) leverage large language models (LLMs) to augment patch information with generated code change explanations, (2) design a representation learning approach that explores code-text alignment methodologies for feature combination, (3) implement a label-wise training with labelled instructions for guiding the embedding based on security relevance, and (4) rely on a probabilistic batch contrastive learning mechanism for building a high-precision identifier of security patches. We evaluate LLMDA on the PatchDB and SPI-DB literature datasets and show that our approach substantially improves over the state-of-the-art, notably GraphSPD by 20% in terms of F-Measure on the SPI-DB benchmark.