Saved in:
Bibliographic Details
Main Authors: Katz, Kyler, Moshtari, Sara, Mujhid, Ibrahim, Mirakhorli, Mehdi, Garcia, Derek
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2508.19472
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866916920695980032
author Katz, Kyler
Moshtari, Sara
Mujhid, Ibrahim
Mirakhorli, Mehdi
Garcia, Derek
author_facet Katz, Kyler
Moshtari, Sara
Mujhid, Ibrahim
Mirakhorli, Mehdi
Garcia, Derek
contents Sensitive Information Exposure (SIEx) vulnerabilities (CWE-200) remain a persistent and under-addressed threat across software systems, often leading to serious security breaches. Existing detection tools rarely target the diverse subcategories of CWE-200 or provide context-aware analysis of code-level data flows. Aims: This paper aims to present SIExVulTS, a novel vulnerability detection system that integrates transformer-based models with static analysis to identify and verify sensitive information exposure in Java applications. Method: SIExVulTS employs a three-stage architecture: (1) an Attack Surface Detection Engine that uses sentence embeddings to identify sensitive variables, strings, comments, and sinks; (2) an Exposure Analysis Engine that instantiates CodeQL queries aligned with the CWE-200 hierarchy; and (3) a Flow Verification Engine that leverages GraphCodeBERT to semantically validate source-to-sink flows. We evaluate SIExVulTS using three curated datasets, including real-world CVEs, a benchmark set of synthetic CWE-200 examples, and labeled flows from 31 open-source projects. Results: The Attack Surface Detection Engine achieved an average F1 score greater than 93\%, the Exposure Analysis Engine achieved an F1 score of 85.71\%, and the Flow Verification Engine increased precision from 22.61\% to 87.23\%. Moreover, SIExVulTS successfully uncovered six previously unknown CVEs in major Apache projects. Conclusions: The results demonstrate that SIExVulTS is effective and practical for improving software security against sensitive data exposure, addressing limitations of existing tools in detecting and verifying CWE-200 vulnerabilities.
format Preprint
id arxiv_https___arxiv_org_abs_2508_19472
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle SIExVulTS: Sensitive Information Exposure Vulnerability Detection System using Transformer Models and Static Analysis
Katz, Kyler
Moshtari, Sara
Mujhid, Ibrahim
Mirakhorli, Mehdi
Garcia, Derek
Cryptography and Security
Artificial Intelligence
Sensitive Information Exposure (SIEx) vulnerabilities (CWE-200) remain a persistent and under-addressed threat across software systems, often leading to serious security breaches. Existing detection tools rarely target the diverse subcategories of CWE-200 or provide context-aware analysis of code-level data flows. Aims: This paper aims to present SIExVulTS, a novel vulnerability detection system that integrates transformer-based models with static analysis to identify and verify sensitive information exposure in Java applications. Method: SIExVulTS employs a three-stage architecture: (1) an Attack Surface Detection Engine that uses sentence embeddings to identify sensitive variables, strings, comments, and sinks; (2) an Exposure Analysis Engine that instantiates CodeQL queries aligned with the CWE-200 hierarchy; and (3) a Flow Verification Engine that leverages GraphCodeBERT to semantically validate source-to-sink flows. We evaluate SIExVulTS using three curated datasets, including real-world CVEs, a benchmark set of synthetic CWE-200 examples, and labeled flows from 31 open-source projects. Results: The Attack Surface Detection Engine achieved an average F1 score greater than 93\%, the Exposure Analysis Engine achieved an F1 score of 85.71\%, and the Flow Verification Engine increased precision from 22.61\% to 87.23\%. Moreover, SIExVulTS successfully uncovered six previously unknown CVEs in major Apache projects. Conclusions: The results demonstrate that SIExVulTS is effective and practical for improving software security against sensitive data exposure, addressing limitations of existing tools in detecting and verifying CWE-200 vulnerabilities.
title SIExVulTS: Sensitive Information Exposure Vulnerability Detection System using Transformer Models and Static Analysis
topic Cryptography and Security
Artificial Intelligence
url https://arxiv.org/abs/2508.19472