vEcho: A Paradigm Shift from Vulnerability Verification to Proactive Discovery with Large Language Models

TL;DR

vEcho introduces a proactive vulnerability discovery framework using large language models with memory and reasoning capabilities, significantly improving detection rates and reducing false positives in static security testing.

Contribution

It transforms LLMs from passive classifiers into active security experts with learning, memory, and reasoning, enabling proactive discovery of unknown vulnerabilities.

Findings

Achieves 65% detection rate, 41.8% better than IRIS.

Reduces false positive rate to 59.78%, 28.3% lower than IRIS.

Discovered 51 novel 0-day vulnerabilities in open-source projects.

Abstract

Static Application Security Testing (SAST) tools often suffer from high false positive rates, leading to alert fatigue that consumes valuable auditing resources. Recent efforts leveraging Large Language Models (LLMs) as filters offer limited improvements; however, these methods treat LLMs as passive, stateless classifiers, which lack project-wide context and the ability to learn from analyses to discover unknown, similar vulnerabilities. In this paper, we propose vEcho, a novel framework that transforms the LLM from a passive filter into a virtual security expert capable of learning, memory, and reasoning. vEcho equips its core reasoning engine with a robust developer tool suite for deep, context-aware verification. More importantly, we introduce a novel Echoic Vulnerability Propagation (EVP) mechanism. Driven by a Cognitive Memory Module that simulates human learning, EVP enables vEcho to learn from verified vulnerabilities and proactively infer unknown, analogous flaws, achieving a paradigm shift from passive verification to active discovery. Extensive experiments on the CWE-Bench-Java dataset demonstrate vEcho's dual advantages over the state-of-the-art baseline, IRIS. Specifically, vEcho achieves a 65% detection rate, marking a 41.8% relative improvement over IRIS's 45.83%. Crucially, it simultaneously addresses alert fatigue by reducing the false positive rate to 59.78%, a 28.3% relative reduction from IRIS's 84.82%. Furthermore, vEcho proactively identified 37 additional known vulnerabilities beyond the 120 documented in the dataset, and has discovered 51 novel 0-day vulnerabilities in open-source projects.