Think Broad, Act Narrow: CWE Identification with Multi-Agent Large Language Models

TL;DR

This paper introduces a multi-agent large language model approach for more accurate vulnerability and CWE identification in functions, addressing limitations of existing methods by incorporating contextual analysis and multi-step decision making.

Contribution

It presents a novel multi-agent LLM framework that improves CWE detection accuracy by combining exhaustive search, external context analysis, and informed decision making.

Findings

40.9% accuracy in CWE identification on PrimeVul dataset

Significant reduction in false positives from 6-9 to 1-2 CWEs

Correctly identified true CWE in 9 out of 10 synthetic cases

Abstract

Machine learning and Large language models (LLMs) for vulnerability detection has received significant attention in recent years. Unfortunately, state-of-the-art techniques show that LLMs are unsuccessful in even distinguishing the vulnerable function from its benign counterpart, due to three main problems: Vulnerability detection requires deep analysis, which LLMs often struggle with when making a one-shot prediction. Existing techniques typically perform function-level analysis, whereas effective vulnerability detection requires contextual information beyond the function scope. The focus on binary classification can result in identifying a vulnerability but associating it with the wrong security weaknesses (CWE), which may mislead developers. We propose a novel multi-agent LLM approach to address the challenges of identifying CWEs. This approach consists of three steps: (1) a team of LLM agents performs an exhaustive search for potential CWEs in the function under review, (2) another team of agents identifies relevant external context to support or refute each candidate CWE, and (3) a final agent makes informed acceptance or rejection decisions for each CWE based on the gathered context. A preliminary evaluation of our approach shows promising results. In the PrimeVul dataset, Step 1 correctly identifies the appropriate CWE in 40.9\% of the studied vulnerable functions. We further evaluated the full pipeline on ten synthetic programs and found that incorporating context information significantly reduced false positives from 6 to 9 CWEs to just 1 to 2, while still correctly identifying the true CWE in 9 out of 10 cases.