GPTVD: Vulnerability Detection and Analysis Method Based on LLM's Chain of Thoughts.

Purpose: Traditional vulnerability detection methods based on machine learning (ML) and deep learning (DL) primarily focus on coarse-grained predictions, often lacking precise localization and interpretability regarding the root causes of vulnerabilities. The growing availability of open-source vulnerability databases calls for advanced methods that can reason about vulnerabilities at a finer slice-level granularity. GPTVD, which leverages large language models’ (LLMs) in-context learning (ICL) and chain-of-thought (COT) reasoning capabilities. The goal is to enhance both detection performance and explainability. Methods: GPTVD extracts threat code slices through static code analysis, focusing on data and control dependencies. Positive and negative samples are clustered based on heuristic features, and representative samples are manually annotated with reasoning processes to build COT prompts. These prompts are combined with target samples to form LLM input queries, enabling slice-level vulnerability inference and explanation using ChatGPT. The method was evaluated on 3,512 threat code slices from a public dataset. Results: GPTVD achieved superior performance compared to state-of-the-art methods, with 90.72% accuracy, 86.71% precision, and 96.39% recall. Ablation studies confirm that clustering-based prompt selection, explicit threat code slices, and human expert reasoning significantly improve detection effectiveness and interpretability. Conclusion: GPTVD demonstrates that combining static code analysis with LLM-based COT reasoning can effectively detect vulnerabilities at the slice level with high accuracy and interpretability.