Overview
MalCodeAI is an AI-powered static analysis system for autonomous vulnerability detection and remediation. It follows a two-stage process to decompose code into logical segments, evaluate security risks, simulate potential exploits, and recommend remediation actions. The system supports 14 programming languages and applies zero-shot generalization to unfamiliar codebases.
Pipeline
1. Decomposes code into functional components with semantic summaries
2. Assigns preliminary CVSS-based risk scores
3. Performs deep vulnerability reasoning and exploit simulation
4. Generates red-hat style exploit traces with attack path analysis
5. Recommends secure, context-aware remediation suggestions
Model & Training
The system uses a fine-tuned Qwen2.5-Coder-3B model via LoRA on the MLX framework. Training was conducted on 48GB Apple Silicon with a curated dataset of malicious and benign examples across 14 languages. Phase 1 handles code decomposition, while Phase 2 is dedicated to vulnerability detection and patch generation.
Experiment Results
• Phase 1 best validation loss: 0.397
• Phase 2 best validation loss: 0.199
• Manual evaluation: 13/17 injected vulnerabilities detected, with 70% actionable fix suggestions
• Developer feedback (n=15): Usefulness avg. score: 8.06/10, Interpretability: 7.4/10, Readability: 7.0/10
Tech. Stack
Python, PyTorch, LLMs, HuggingFace Transformers, Apple MLX, Static Code Analysis, Security Exploit Simulation