towards-efficient-complementary-security-analysis-using-large-language-models
Experimental results and Jupyter notebooks showcasing LLM-based security analyses on the OWASP Benchmark (train/test splits) and a real-world dataset.
Science Score: 26.0%
This score indicates how likely this project is to be science-related based on various indicators:
-
○CITATION.cff file
-
✓codemeta.json file
Found codemeta.json file -
✓.zenodo.json file
Found .zenodo.json file -
○DOI references
-
○Academic publication links
-
○Academic email domains
-
○Institutional organization owner
-
○JOSS paper metadata
-
○Scientific vocabulary similarity
Low similarity (8.4%) to scientific vocabulary
Repository
Experimental results and Jupyter notebooks showcasing LLM-based security analyses on the OWASP Benchmark (train/test splits) and a real-world dataset.
Basic Info
Statistics
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
- Releases: 4
Metadata Files
README.md
Repository Overview
This repository contains the complete experimental results and supporting materials for our research.
Repository Structure
OWASP Benchmark Data & Experiment Results in JSON Format
All experiment results and JSON outputs are located in the /data directory, which is structured as follows:- OWASP Benchmark
The primary dataset for our research was extracted from the OWASP Benchmark and is stored in spotbugs_dataset.pkl.
The OWASP Benchmark consists of over 2,740 test cases across 11 different vulnerability areas, which can be directly analyzed by SAST tools.
We used SpotBugs with the FindSecBugs plugin to analyze these test cases. Based on its results, we created two distinct datasets: - A train split containing approximately 80% of all security findings, used in our preliminary study and for generating few-shot examples.
- A test split containing approximately 20% of the security findings, later used to validate the findings of our preliminary study and to compare various LLMs to assess whether comparative security analysis is feasible using LLMs.
- For further information about the used datasets see: datasets.md.
- Preliminary Studies
Our preliminary study consists of two experiments:
- OWASP Benchmark
1. **[Contextual Information Analysis](data/preliminary_study/contextual_information_experiment/README.md)**
This experiment examines how different combinations of contextual information (from SpotBugs reports and the CWE database) impact LLM-based security assessments. We further introduce our used prompt template here. This experiment was conducted on the **train set**.
More details: [Comparing Contextual Information](data/preliminary_study/contextual_information_experiment/README.md).
2. **[Prompting Techniques Comparison](data/preliminary_study/prompting_techniques_experiment/README.md)**
This study compares Few-Shot, Chain-of-Thought (CoT), and Self-Consistency (SC) prompting techniques using **GPT-3.5 Turbo**. This experiment was conducted on the **train set**.
More details: [Comparing Prompting Techniques](data/preliminary_study/prompting_techniques_experiment/README.md).
Main Research Findings
The main results of our research, including an evaluation of various LLM families (Qwen, GPT, Phi, and Llama) on both:- The test split (403 security findings) of the OWASP Benchmark security findings.
- A real-world dataset (114 security findings) extracted from the Mnestix project.
For more information on the used datasets see: datasets.md.
More details: Towards Efficient Complementary Security Analysis. - Few-Shot Examples & Prompt Templates
The few-shot examples and prompt templates used for default and Chain-of-Thought prompting are provided in the /src directory:
Owner
- Login: zumpious
- Kind: user
- Location: Leipizg
- Repositories: 1
- Profile: https://github.com/zumpious
My name is Jonas and I do things
GitHub Events
Total
- Release event: 4
- Public event: 1
- Push event: 5
- Create event: 4
Last Year
- Release event: 4
- Public event: 1
- Push event: 5
- Create event: 4