VulStamp: Vulnerability Assessment using Large Language Model

TL;DR

VulStamp leverages static analysis and large language models to perform description-free vulnerability assessment, improving efficiency by focusing on code intention and addressing data imbalance with reinforcement learning.

Contribution

The paper introduces VulStamp, a novel intention-guided framework that uses LLMs and RL-based prompt tuning for more effective vulnerability severity assessment without relying on manual descriptions.

Findings

Effective extraction of code intention using static analysis and LLMs

Improved vulnerability assessment accuracy with prompt-tuned models

Mitigation of data imbalance through RL-based prompt tuning

Abstract

Although modern vulnerability detection tools enable developers to efficiently identify numerous security flaws, indiscriminate remediation efforts often lead to superfluous development expenses. This is particularly true given that a substantial portion of detected vulnerabilities either possess low exploitability or would incur negligible impact in practical operational environments. Consequently, vulnerability severity assessment has emerged as a critical component in optimizing software development efficiency. Existing vulnerability assessment methods typically rely on manually crafted descriptions associated with source code artifacts. However, due to variability in description quality and subjectivity in intention interpretation, the performance of these methods is seriously limited. To address this issue, this paper introduces VulStamp, a novel intention-guided framework, to facilitate description-free vulnerability assessment. Specifically, VulStamp adopts static analysis together with Large Language Model (LLM) to extract the intention information of vulnerable code. Based on the intention information, VulStamp uses a prompt-tuned model for vulnerability assessment. Furthermore, to mitigate the problem of imbalanced data associated with vulnerability types, VulStamp integrates a Reinforcement Learning (RL)-based prompt-tuning method to train the assessment model.