header banner
Default

The Prompts Used and Their Answers in ChatGPT for Vulnerability Detection


Software vulnerabilities are essentially errors in code that malicious actors can exploit. Advanced language models such as CodeBERT, GraphCodeBERT, and CodeT5 can detect these vulnerabilities, provide detailed analysis assessments, and even recommend patches to address them.

These models have proven to be highly effective in identifying and mitigating software vulnerabilities, making them an essential tool for any organization looking to enhance their security posture.

A tool named AIBugHunter in VSCode uses these models for adequate software security.

While ChatGPT and other large language models excel in code-related tasks, no comprehensive studies have assessed their potential for the entire vulnerability workflow, including- 

  • Detection
  • Type explanation
  • Severity estimation
  • Repair suggestions
Document
FREE Webinar

Why API Security Should be Your Top Priority

API security isn’t just a priority; it’s the lifeline of businesses and organizations. Yet, this interconnectivity brings with it an array of vulnerabilities that are often concealed beneath the surface.

Recently, the following cybersecurity researchers from Monash University, Clayton, Australia, have explored ChatGPT’s use in software vulnerability tasks, including prediction, classification, and smart contract correction:-

  • Michael Fu
  • Chakkrit (Kla) Tantithamthavorn
  • Van Nguyen
  • Trung Le

Some previous studies examined large language models in automated program repair but not the latest ChatGPT versions.

Cybersecurity researchers analyzed the ability of ChatGPT for the following four vulnerability prediction tasks:-

  • Function and line-level software vulnerability prediction (SVP)
  • Software vulnerability classification (SVC)
  • Severity estimation
  • Automated vulnerability repair (APR)

ChatGPT’s 1.7 trillion parameters vastly exceed those of source code-oriented models like CodeBERT, making prompt-based usage essential. Fine-tuning for vulnerability tasks isn’t possible due to ChatGPT’s proprietary parameters.

An example prompt for function and line-level vulnerability prediction
An example prompt for function and line-level vulnerability prediction (Source – Arxiv)

Security analysts evaluate ChatGPT (get-3.5-turbo and gpt-4) against code-specific models. 

They compared it with AIBugHunter, CodeBERT, GraphCodeBERT, and VulExplainer on four vulnerability tasks using Big-Vul and CVEFixes datasets, addressing four research questions.

Here, we have mentioned all four research questions below, along with their respective results:-

(RQ1) How accurate is ChatGPT for function and line-level vulnerability predictions?

  • Results: ChatGPT achieves F1-measure of 10% and 29% and top-10 accuracy of 25% and 65%, which are the lowest compared with other baseline methods.

(RQ2) How accurate is ChatGPT for vulnerability type classification?

  • Results: ChatGPT achieves the lowest multiclass accuracy of 13% and 20%, 45%-52% lower than the best baseline.

(RQ3) How accurate is ChatGPT for vulnerability severity estimation?

  • Results: ChatGPT gave the most inaccurate severity estimation with the highest mean squared error (MSE) of 5.4 and 5.85, while other baseline methods achieved MSE of 1.8 to 1.86.

(RQ4) How accurate is ChatGPT for automated vulnerability repair?

  • Results: ChatGPT failed to generate correct repair patches, while other baselines correctly repaired 7%-30% of vulnerable functions.
Prompt for CWE-ID classification
Prompt for CWE-ID classification (Source – Arxiv)

ChatGPT didn’t produce correct repair patches, whereas fine-tuned baselines repaired 7%-30%. BLEU and METEOR scores confirm baseline patches are closer to true ones. 

This highlights the challenge of vulnerability repair, suggesting ChatGPT requires domain-specific fine-tuning.

Other ChatGPT Developments:

  • ChatGPT-Powered Malware Analysis
  • HuntGPT: AI-Based Intrusion Detection Tool
  • ChatGPT for Software Security: How it Assists Attackers & Security Analysts
  • HackerGPT: A ChatGPT Empowered Penetration Testing Tool
  • ChatGPT for Digital Forensic – AI-Powered Cybercrime Investigation
  • PentestGPT – A ChatGPT Empowered Automated Penetration Testing Tool
  • BurpGPT – ChatGPT Powered Automated Vulnerability Detection Tool

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Sources


Article information

Author: Stephanie Baldwin

Last Updated: 1702165441

Views: 1016

Rating: 4.9 / 5 (66 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Stephanie Baldwin

Birthday: 1921-10-09

Address: 2863 Wood Fork, East Amy, MO 32978

Phone: +3742989969773198

Job: Computer Programmer

Hobby: Snowboarding, Arduino, Painting, Fishing, Woodworking, Astronomy, Swimming

Introduction: My name is Stephanie Baldwin, I am a resolute, dear, Determined, ingenious, vivid, unguarded, dedicated person who loves writing and wants to share my knowledge and understanding with you.