VulStamp: Vulnerability Assessment using Large Language Model
🤖 AI Summary
Existing vulnerability severity assessment relies on low-quality, manually written descriptions, resulting in high subjectivity and poor generalizability. To address this, we propose the first description-agnostic, intent-driven assessment framework: it jointly models vulnerability code intent via static analysis and large language models (LLMs), eliminating dependence on human-authored descriptions; and introduces a reinforcement learning–based prompt tuning method to mitigate data imbalance caused by the long-tail distribution of vulnerability types. Evaluated on multiple benchmark datasets, our approach significantly outperforms state-of-the-art methods—achieving a 12.7% improvement in overall accuracy and a 23.4% gain in F1-score for infrequent vulnerabilities. The core contribution lies in shifting vulnerability assessment from shallow “text matching” to deep “intent understanding,” enabling more robust and scalable automated severity classification.
Application Category
📝 Abstract
Although modern vulnerability detection tools enable developers to efficiently identify numerous security flaws, indiscriminate remediation efforts often lead to superfluous development expenses. This is particularly true given that a substantial portion of detected vulnerabilities either possess low exploitability or would incur negligible impact in practical operational environments. Consequently, vulnerability severity assessment has emerged as a critical component in optimizing software development efficiency. Existing vulnerability assessment methods typically rely on manually crafted descriptions associated with source code artifacts. However, due to variability in description quality and subjectivity in intention interpretation, the performance of these methods is seriously limited. To address this issue, this paper introduces VulStamp, a novel intention-guided framework, to facilitate description-free vulnerability assessment. Specifically, VulStamp adopts static analysis together with Large Language Model (LLM) to extract the intention information of vulnerable code. Based on the intention information, VulStamp uses a prompt-tuned model for vulnerability assessment. Furthermore, to mitigate the problem of imbalanced data associated with vulnerability types, VulStamp integrates a Reinforcement Learning (RL)-based prompt-tuning method to train the assessment model.
Problem
Research questions and friction points this paper is trying to address.
Optimizing vulnerability severity assessment to reduce unnecessary remediation costs
Overcoming limitations of manual description-based vulnerability assessment methods
Addressing data imbalance in vulnerability types using reinforcement learning
Innovation
Methods, ideas, or system contributions that make the work stand out.
Uses LLM to extract vulnerable code intentions
Employs prompt-tuned model for assessment
Integrates RL-based tuning for data imbalance
🔎 Similar Papers
No similar papers found.
