VulKiller: Java Web Vulnerability Detection with Code Property Graph and Large Language Models

VulKiller: Java Web Vulnerability Detection with Code Property Graph and Large Language Models

연구 분야: Strategies

학회: ICASSP 2025 - 2025 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)

In recent years, web application development has become more efficient, yet vulnerabilities still pose significant risks. Traditional static and dynamic detection techniques are prone to false positives and negatives, making it challenging for small and medium-sized developers with limited security knowledge to accurately assess the results. To address these challenges, we introduced VulKiller, an automated vulnerability detection tool powered by large language models (LLM). VulKiller leverages static analysis to convert application code into Code Property Graphs (CPG) and utilizes Neo4j to identify high-risk method call chains. By designing structured interactions with ChatGPT, these call chains and corresponding code are transformed into Proofs of Concept (PoCs), which are then parsed into attack payloads and evaluated by a vulnerability monitor for effectiveness. In comparison with traditional tools, VulKiller excels in reducing false positives and negatives. Additionally, in zero-day vulnerability detection experiments, VulKiller identified 12 zero-day vulnerabilities. Our results offer significant encouragement for using LLM to enhance vulnerability detection.