CAREER: Towards Automated Vulnerability Management: Vulnerability Discovery, Localization, and Continuous Monitoring

NSF Award Search · 01002930DB NSF RESEARCH & RELATED ACTIVIT · $624,660 · view on nsf.gov ↗

Abstract

Open-source software security vulnerabilities lead to severe impacts, e.g., stolen personal data, financial losses, and disrupted services. Due to the significant growth of vulnerabilities in recent years, it has become increasingly challenging for developers to efficiently manage security vulnerabilities, leading to supply-chain delays and prolonged security risks. While artificial intelligence tools are increasingly adopted in software development, it remains unclear whether they can reliably assist vulnerability management. This project builds tools that leverage AI to assist vulnerability management in open-source software and continuously monitors the security behaviors of AI agents in software development. The project's novelties are the combination of AI with program analysis on vulnerability localization, a new recommender system for prioritizing and discovering vulnerabilities, and novel testing methodologies for auditing the security behaviors of AI agents. The project's broader significance and importance are the strengthening of open-source software supply chain which supports modern software infrastructure, the training of next generation security researchers and software developers, including summer research camps in New Jersey, and the public release of benchmarks and tools that improve security research. The project's objectives are divided into three research thrusts: (1) using program analysis and graph neural networks to enhance patch localization and vulnerable code localization; (2) constructing a novel benchmark and recommender system for vulnerability discovery and prioritization based on a major bug bounty platform; (3) monitoring the security behaviors of AI agents for code review and generation by detecting security failures and inconsistency with user expectation. The project seamlessly integrates various methodologies and disciplines, including program analysis, large language models, natural language processing, software testing, and

Key facts

NSF award ID
2543926
Awardee
Stevens Institute of Technology (NJ)
SAM.gov UEI
JJ6CN5Y5A2R5
PI
Xueqing Liu
Primary program
01002930DB NSF RESEARCH & RELATED ACTIVIT
All programs
SaTC: Secure and Trustworthy Cyberspace, Artificial Intelligence (AI), CAREER-Faculty Erly Career Dev, Nat Security, Secure Border & Pub Safety
Estimated total
$624,660
Funds obligated
$364,538
Transaction type
Continuing Grant
Period
07/01/2026 → 06/30/2031