Primary supervisor
Sanoop MallisseryResearch area
Software Systems and CybersecurityCore PhD Question
Can Transformer models understand the full lifecycle of a vulnerability; from vulnerable code, to patch, to advisory, to regression risk; and determine whether a security fix is complete, safe, and trustworthy?
So we are not planning to do the following:
Not vulnerability detection. Not automated patching. But “security patch trustworthiness intelligence.”
The proposed PhD will develop a Transformer-based security patch intelligence framework that can understand the full story of a vulnerability: how it appeared, how it was patched, whether the patch was complete, and whether the fix may still be risky.
Instead of analysing isolated source code, the system will study the vulnerability lifecycle:
Vulnerable code → patch diff → commit message → CVE/CWE description → security advisory → follow-up commits → regression signals
This turns security patch analysis into a much deeper AI reasoning problem.
The final goal is to build an intelligent assistant for secure software maintenance that can say:
- “This patch looks incomplete.”
- “This fix addresses input validation but not authorization.”
- “The changed lines do not fully match the CVE description.”
- “This patch may need additional security tests.”
- “This fix is likely to require a follow-up patch.”
Possible PhD Contributions Expectations
Contribution 1
A vulnerability-patch lifecycle dataset
A curated dataset linking vulnerable code, patched code, code diffs, CVE/CWE text, commit messages, advisories, follow-up fixes, and regression signals.
Contribution 2
A multi-modal Transformer architecture for security patch reasoning
A model that jointly learns from code, diffs, natural-language advisories, and vulnerability metadata.
Contribution 3
Patch trustworthiness prediction
A new task formulation that classifies patches as complete, incomplete, risky, regression-prone, or potentially still vulnerable.
Contribution 4
Explainable patch-risk localization
A method to highlight risky changed lines, suspicious unchanged code, and mismatch between patch and vulnerability description.
Contribution 5
DevSecOps-ready patch assurance prototype
A prototype that can support secure code review by producing patch trust scores and review recommendations.
Required knowledge
Essential
Python programming, Machine learning fundamentals, Deep learning basics, Cybersecurity fundamentals, Software vulnerability concepts, Git/GitHub basics, Code diffs, commits, and pull requests, Basic evaluation metrics such as accuracy, precision, recall, F1-score, and AUC
Useful
PyTorch or TensorFlow, Hugging Face Transformers, Transformer model basics, Secure coding principles, CVE, CWE, and CVSS concepts, Pandas, NumPy, and Scikit-learn, Ability to read C/C++, Java, or Python code, Basic static analysis tools such as Semgrep, CodeQL, or SonarQube
Nice to Have
CodeBERT, CodeT5, or GraphCodeBERT, Program analysis, Data-flow and control-flow understanding, Explainable AI, Patch correctness analysis, Security regression testing, Automated program repair, DevSecOps and CI/CD pipeline knowledge, Docker and experiment tracking tools such as MLflow or Weights & Biases
