ECE PhD Prospectus Defense: Saad Ullah

ECE PhD Prospectus Defense: Saad Ullah

Title: LLM-Powered Vulnerability Management: From Evaluation and Detection to Exploiting and Patching

Presenter: Saad Ullah

Advisor: Professor Gianluca Stringhini

Chair: Professor Ayse K. Coskun

Committee: Professor Gianluca Stringhini, Professor Manuel Egele, Professor Ayse K. Coskun

Abstract: With the advent of large language models (LLMs), a transformative shift has occurred in various domains, including software vulnerability management. However, despite their widespread utility, LLMs' effectiveness in detecting and reasoning about security vulnerabilities in source code remains under-explored. My work introduces SecLLMHolmes, an innovative framework that rigorously evaluates LLMs across multiple dimensions of vulnerability detection. Our findings reveal that while LLMs demonstrate potential, they currently exhibit limitations such as high false positive rates (FPR), inconsistent reasonings, and a lack of robustness. To address these challenges, I propose SecLLMWatson, a novel approach leveraging a mixture of experts (MoE) model. This system enhances LLMs' focus on specific vulnerability types without extensive retraining, significantly improving detection accuracy and robustness. Additionally, I outline future directions with SecLLMMoriarty and SecLLMMycroft, aimed at automating the documentation, root cause analysis (RCA), and patch generation for identified vulnerabilities, further bridging the gap between current capabilities and the stringent demands of cybersecurity applications. Through these contributions, I not only assess the current state of LLMs in security contexts but also provide a roadmap for enhancing their utility, ensuring more reliable and effective tools for developers and security professionals.