Llama-based source code vulnerability detection: Prompt engineering vs Fine tuning

TL;DR

This paper evaluates Llama-3.1 8B for source code vulnerability detection, comparing prompt engineering and fine-tuning techniques, introducing Double Fine-tuning, and highlighting the importance of fine-tuning for improved performance.

Contribution

It introduces a novel Double Fine-tuning approach and assesses various fine-tuning and prompt strategies for LLM-based vulnerability detection.

Findings

Fine-tuning significantly improves detection performance.

Double Fine-tuning outperforms other methods.

Prompt engineering alone is ineffective for this task.

Abstract

The significant increase in software production, driven by the acceleration of development cycles over the past two decades, has led to a steady rise in software vulnerabilities, as shown by statistics published yearly by the CVE program. The automation of the source code vulnerability detection (CVD) process has thus become essential, and several methods have been proposed ranging from the well established program analysis techniques to the more recent AI-based methods. Our research investigates Large Language Models (LLMs), which are considered among the most performant AI models to date, for the CVD task. The objective is to study their performance and apply different state-of-the-art techniques to enhance their effectiveness for this task. We explore various fine-tuning and prompt engineering settings. We particularly suggest one novel approach for fine-tuning LLMs which we call Double Fine-tuning, and also test the understudied Test-Time fine-tuning approach. We leverage the recent open-source Llama-3.1 8B, with source code samples extracted from BigVul and PrimeVul datasets. Our conclusions highlight the importance of fine-tuning to resolve the task, the performance of Double tuning, as well as the potential of Llama models for CVD. Though prompting proved ineffective, Retrieval augmented generation (RAG) performed relatively well as an example selection technique. Overall, some of our research questions have been answered, and many are still on hold, which leaves us many future work perspectives. Code repository is available here: https://github.com/DynaSoumhaneOuchebara/Llama-based-vulnerability-detection.