Saved in:
Bibliographic Details
Main Authors: Park, Sangryu, Ko, Gihyuk, Cho, Homook
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2512.20062
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914216872509440
author Park, Sangryu
Ko, Gihyuk
Cho, Homook
author_facet Park, Sangryu
Ko, Gihyuk
Cho, Homook
contents Large Language Models (LLMs) show significant promise in automating software vulnerability analysis, a critical task given the impact of security failure of modern software systems. However, current approaches in using LLMs to automate vulnerability analysis mostly rely on using online API-based LLM services, requiring the user to disclose the source code in development. Moreover, they predominantly frame the task as a binary classification(vulnerable or not vulnerable), limiting potential practical utility. This paper addresses these limitations by reformulating the problem as Software Vulnerability Identification (SVI), where LLMs are asked to output the type of weakness in Common Weakness Enumeration (CWE) IDs rather than simply indicating the presence or absence of a vulnerability. We also tackle the reliance on large, API-based LLMs by demonstrating that instruction-tuning smaller, locally deployable LLMs can achieve superior identification performance. In our analysis, instruct-tuning a local LLM showed better overall performance and cost trade-off than online API-based LLMs. Our findings indicate that instruct-tuned local models represent a more effective, secure, and practical approach for leveraging LLMs in real-world vulnerability management workflows.
format Preprint
id arxiv_https___arxiv_org_abs_2512_20062
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle On the Effectiveness of Instruction-Tuning Local LLMs for Identifying Software Vulnerabilities
Park, Sangryu
Ko, Gihyuk
Cho, Homook
Cryptography and Security
Artificial Intelligence
Large Language Models (LLMs) show significant promise in automating software vulnerability analysis, a critical task given the impact of security failure of modern software systems. However, current approaches in using LLMs to automate vulnerability analysis mostly rely on using online API-based LLM services, requiring the user to disclose the source code in development. Moreover, they predominantly frame the task as a binary classification(vulnerable or not vulnerable), limiting potential practical utility. This paper addresses these limitations by reformulating the problem as Software Vulnerability Identification (SVI), where LLMs are asked to output the type of weakness in Common Weakness Enumeration (CWE) IDs rather than simply indicating the presence or absence of a vulnerability. We also tackle the reliance on large, API-based LLMs by demonstrating that instruction-tuning smaller, locally deployable LLMs can achieve superior identification performance. In our analysis, instruct-tuning a local LLM showed better overall performance and cost trade-off than online API-based LLMs. Our findings indicate that instruct-tuned local models represent a more effective, secure, and practical approach for leveraging LLMs in real-world vulnerability management workflows.
title On the Effectiveness of Instruction-Tuning Local LLMs for Identifying Software Vulnerabilities
topic Cryptography and Security
Artificial Intelligence
url https://arxiv.org/abs/2512.20062