ChatGPT for vulnerability detection, classification, and repair: How far are we?

Michael Fu; Chakkrit Kla Tantithamthavorn; Van Nguyen; Trung Le

doi:10.1109/APSEC60848.2023.00085

ChatGPT for vulnerability detection, classification, and repair: How far are we?

Michael Fu, Chakkrit Kla Tantithamthavorn, Van Nguyen, Trung Le

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

50 Citations (Scopus)

Abstract

Large language models (LLMs) like ChatGPT (i.e., gpt-3.5-turbo and gpt-4) exhibited remarkable advancement in a range of software engineering tasks associated with source code such as code review and code generation. In this paper, we undertake a comprehensive study by instructing ChatGPT for four prevalent vulnerability tasks: function and line-level vulnerability prediction, vulnerability classification, severity estimation, and vulnerability repair. We compare ChatGPT with state-of-the-art language models designed for software vulnerability purposes. Through an empirical assessment employing extensive real-world datasets featuring over 190,000 C/C++ functions, we found that ChatGPT achieves limited performance, trailing behind other language models in vulnerability contexts by a significant margin. The experimental outcomes highlight the challenging nature of vulnerability prediction tasks, requiring domain-specific expertise. Despite ChatGPT's substantial model scale, exceeding that of source code-pre-trained language models (e.g., CodeBERT) by a factor of 14,000, the process of fine-tuning remains imperative for ChatGPT to generalize for vulnerability prediction tasks. We publish the studied dataset, experimental prompts for ChatGPT, and experimental results at https://github.com/awsm-research/ChatGPT4Vul.

Original language	English
Title of host publication	Proceedings - 2023 30th Asia-Pacific Software Engineering Conference, APSEC 2023
Editors	Eunkyoung Jee, Soojin Park
Place of Publication	Piscataway NJ USA
Publisher	IEEE, Institute of Electrical and Electronics Engineers
Pages	632-636
Number of pages	5
ISBN (Electronic)	9798350344172
ISBN (Print)	9798350344189
DOIs	https://doi.org/10.1109/APSEC60848.2023.00085
Publication status	Published - 2023
Event	Asia-Pacific Software Engineering Conference 2023 - Seoul, Korea, South Duration: 4 Dec 2023 → 7 Dec 2023 Conference number: 30th https://ieeexplore.ieee.org/xpl/conhome/10479191/proceeding (Proceedings) https://conf.researchr.org/home/apsec-2023 (Website)

Conference

Conference	Asia-Pacific Software Engineering Conference 2023
Abbreviated title	APSEC 2023
Country/Territory	Korea, South
City	Seoul
Period	4/12/23 → 7/12/23
Internet address	https://ieeexplore.ieee.org/xpl/conhome/10479191/proceeding (Proceedings) https://conf.researchr.org/home/apsec-2023 (Website)

Keywords

ChatGPT
Cybersecurity
Large Language Models
Software Security
Software Vulnerability

Access to Document

10.1109/APSEC60848.2023.00085

Cite this

Fu, M., Tantithamthavorn, C. K., Nguyen, V., & Le, T. (2023). ChatGPT for vulnerability detection, classification, and repair: How far are we? In E. Jee, & S. Park (Eds.), Proceedings - 2023 30th Asia-Pacific Software Engineering Conference, APSEC 2023 (pp. 632-636). IEEE, Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/APSEC60848.2023.00085

@inproceedings{58d3bc8558434fbfb3ee775cd9055efb,

title = "ChatGPT for vulnerability detection, classification, and repair: How far are we?",

abstract = "Large language models (LLMs) like ChatGPT (i.e., gpt-3.5-turbo and gpt-4) exhibited remarkable advancement in a range of software engineering tasks associated with source code such as code review and code generation. In this paper, we undertake a comprehensive study by instructing ChatGPT for four prevalent vulnerability tasks: function and line-level vulnerability prediction, vulnerability classification, severity estimation, and vulnerability repair. We compare ChatGPT with state-of-the-art language models designed for software vulnerability purposes. Through an empirical assessment employing extensive real-world datasets featuring over 190,000 C/C++ functions, we found that ChatGPT achieves limited performance, trailing behind other language models in vulnerability contexts by a significant margin. The experimental outcomes highlight the challenging nature of vulnerability prediction tasks, requiring domain-specific expertise. Despite ChatGPT's substantial model scale, exceeding that of source code-pre-trained language models (e.g., CodeBERT) by a factor of 14,000, the process of fine-tuning remains imperative for ChatGPT to generalize for vulnerability prediction tasks. We publish the studied dataset, experimental prompts for ChatGPT, and experimental results at https://github.com/awsm-research/ChatGPT4Vul.",

keywords = "ChatGPT, Cybersecurity, Large Language Models, Software Security, Software Vulnerability",

author = "Michael Fu and Tantithamthavorn, \{Chakkrit Kla\} and Van Nguyen and Trung Le",

note = "Publisher Copyright: {\textcopyright} 2023 IEEE.; Asia-Pacific Software Engineering Conference 2023, APSEC 2023 ; Conference date: 04-12-2023 Through 07-12-2023",

year = "2023",

doi = "10.1109/APSEC60848.2023.00085",

language = "English",

isbn = "9798350344189",

pages = "632--636",

editor = "Eunkyoung Jee and Soojin Park",

booktitle = "Proceedings - 2023 30th Asia-Pacific Software Engineering Conference, APSEC 2023",

publisher = "IEEE, Institute of Electrical and Electronics Engineers",

address = "United States of America",

url = "https://ieeexplore.ieee.org/xpl/conhome/10479191/proceeding, https://conf.researchr.org/home/apsec-2023",

}

Fu, M, Tantithamthavorn, CK , Nguyen, V & Le, T 2023, ChatGPT for vulnerability detection, classification, and repair: How far are we? in E Jee & S Park (eds), Proceedings - 2023 30th Asia-Pacific Software Engineering Conference, APSEC 2023. IEEE, Institute of Electrical and Electronics Engineers, Piscataway NJ USA, pp. 632-636, Asia-Pacific Software Engineering Conference 2023, Seoul, Korea, South, 4/12/23. https://doi.org/10.1109/APSEC60848.2023.00085

ChatGPT for vulnerability detection, classification, and repair: How far are we? / Fu, Michael; Tantithamthavorn, Chakkrit Kla ; Nguyen, Van et al.
Proceedings - 2023 30th Asia-Pacific Software Engineering Conference, APSEC 2023. ed. / Eunkyoung Jee; Soojin Park. Piscataway NJ USA: IEEE, Institute of Electrical and Electronics Engineers, 2023. p. 632-636.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - ChatGPT for vulnerability detection, classification, and repair

T2 - Asia-Pacific Software Engineering Conference 2023

AU - Fu, Michael

AU - Tantithamthavorn, Chakkrit Kla

AU - Nguyen, Van

AU - Le, Trung

N1 - Conference code: 30th

PY - 2023

Y1 - 2023

N2 - Large language models (LLMs) like ChatGPT (i.e., gpt-3.5-turbo and gpt-4) exhibited remarkable advancement in a range of software engineering tasks associated with source code such as code review and code generation. In this paper, we undertake a comprehensive study by instructing ChatGPT for four prevalent vulnerability tasks: function and line-level vulnerability prediction, vulnerability classification, severity estimation, and vulnerability repair. We compare ChatGPT with state-of-the-art language models designed for software vulnerability purposes. Through an empirical assessment employing extensive real-world datasets featuring over 190,000 C/C++ functions, we found that ChatGPT achieves limited performance, trailing behind other language models in vulnerability contexts by a significant margin. The experimental outcomes highlight the challenging nature of vulnerability prediction tasks, requiring domain-specific expertise. Despite ChatGPT's substantial model scale, exceeding that of source code-pre-trained language models (e.g., CodeBERT) by a factor of 14,000, the process of fine-tuning remains imperative for ChatGPT to generalize for vulnerability prediction tasks. We publish the studied dataset, experimental prompts for ChatGPT, and experimental results at https://github.com/awsm-research/ChatGPT4Vul.

AB - Large language models (LLMs) like ChatGPT (i.e., gpt-3.5-turbo and gpt-4) exhibited remarkable advancement in a range of software engineering tasks associated with source code such as code review and code generation. In this paper, we undertake a comprehensive study by instructing ChatGPT for four prevalent vulnerability tasks: function and line-level vulnerability prediction, vulnerability classification, severity estimation, and vulnerability repair. We compare ChatGPT with state-of-the-art language models designed for software vulnerability purposes. Through an empirical assessment employing extensive real-world datasets featuring over 190,000 C/C++ functions, we found that ChatGPT achieves limited performance, trailing behind other language models in vulnerability contexts by a significant margin. The experimental outcomes highlight the challenging nature of vulnerability prediction tasks, requiring domain-specific expertise. Despite ChatGPT's substantial model scale, exceeding that of source code-pre-trained language models (e.g., CodeBERT) by a factor of 14,000, the process of fine-tuning remains imperative for ChatGPT to generalize for vulnerability prediction tasks. We publish the studied dataset, experimental prompts for ChatGPT, and experimental results at https://github.com/awsm-research/ChatGPT4Vul.

KW - ChatGPT

KW - Cybersecurity

KW - Large Language Models

KW - Software Security

KW - Software Vulnerability

UR - http://www.scopus.com/inward/record.url?scp=85184866969&partnerID=8YFLogxK

U2 - 10.1109/APSEC60848.2023.00085

DO - 10.1109/APSEC60848.2023.00085

M3 - Conference Paper

AN - SCOPUS:85184866969

SN - 9798350344189

SP - 632

EP - 636

BT - Proceedings - 2023 30th Asia-Pacific Software Engineering Conference, APSEC 2023

A2 - Jee, Eunkyoung

A2 - Park, Soojin

PB - IEEE, Institute of Electrical and Electronics Engineers

CY - Piscataway NJ USA

Y2 - 4 December 2023 through 7 December 2023

ER -

ChatGPT for vulnerability detection, classification, and repair: How far are we?

Abstract

Conference

Keywords

Access to Document

Other files and links

Cite this