Large Language Models (LLMs) have demonstrated significant potential in automated software security, particularly in vulnerability detection. However, existing benchmarks primarily focus on isolated, single-vulnerability samples or function-level classification, failing to reflect the complexity of real-world software where multiple interacting vulnerabilities often coexist within large files. Recent studies indicate that LLMs suffer from "count bias" and "selection bias" in multi-label tasks, yet this has not been rigorously quantified in the domain of code security. In this work, we introduce a comprehensive benchmark for Multi-Vulnerability Detection across four major languages: C, C++, Python, and JavaScript. We construct a dataset of 40,000 files by systematically injecting controlled counts of vulnerabilities (1, 3, 5, and 9) into long-context code samples (7.5k-10k tokens) sourced from CodeParrot. We evaluate five state-of-the-art LLMs, including GPT-4o-mini, Llama-3.3-70B, and the Qwen-2.5 series. Our results reveal a sharp degradation in performance as vulnerability density increases. While Llama-3.3-70B achieves near-perfect F1 scores (approximately 0.97) on single-vulnerability C tasks, performance drops by up to 40% in high-density settings. Notably, Python and JavaScript show distinct failure modes compared to C/C++, with models exhibiting severe "under-counting" (Recall dropping to less than 0.30) in complex Python files.
翻译:大语言模型在自动化软件安全领域,尤其是在漏洞检测方面,已展现出巨大潜力。然而,现有基准测试主要关注孤立的单漏洞样本或函数级分类,未能反映现实世界软件的复杂性——在大型文件中,多个相互关联的漏洞常常共存。近期研究表明,大语言模型在多标签任务中存在"计数偏差"和"选择偏差",但这一现象尚未在代码安全领域得到严格量化。本研究针对C、C++、Python和JavaScript四种主流语言,引入了一个全面的多漏洞检测基准。我们从CodeParrot获取长上下文代码样本(7.5k-10k词元),通过系统性地注入受控数量的漏洞(1、3、5和9个),构建了一个包含40,000个文件的数据集。我们评估了包括GPT-4o-mini、Llama-3.3-70B以及Qwen-2.5系列在内的五种先进大语言模型。结果表明,随着漏洞密度的增加,模型性能急剧下降。尽管Llama-3.3-70B在C语言的单漏洞任务上取得了接近完美的F1分数(约0.97),但在高密度场景下性能下降高达40%。值得注意的是,与C/C++相比,Python和JavaScript表现出截然不同的失效模式:在复杂的Python文件中,模型表现出严重的"计数不足"现象(召回率降至0.30以下)。
相关内容
微信扫码咨询专知VIP会员