The increasing complexity of software systems and the sophistication of cyber-attacks have underscored the critical need for effective automated vulnerability detection and repair systems. Data-driven approaches using deep learning models show promise but critically depend on the availability of large, accurately labeled datasets. Yet existing datasets either suffer from noisy labels, limited range of vulnerabilities, or fail to reflect vulnerabilities as they occur in real-world software. This also limits large-scale benchmarking of such solutions. Automated vulnerability injection provides a way to directly address these dataset limitations, but existing techniques remain limited in coverage, contextual fidelity, or injection success rates. In this paper, we present AVIATOR, the first AI-agentic vulnerability injection workflow. It automatically injects realistic, category-specific vulnerabilities for high-fidelity, diverse, large-scale vulnerability dataset generation. Unlike prior monolithic approaches, AVIATOR orchestrates specialized AI agents, function agents and traditional code analysis tools that replicate expert reasoning. It combines semantic analysis, injection synthesis enhanced with LoRA-based fine-tuning and Retrieval-Augmented Generation, as well as post-injection validation via static analysis and LLM-based discriminators. This modular decomposition allows specialized agents to focus on distinct tasks, improving robustness of injection and reducing error propagation across the workflow. Evaluations across three distinct benchmarks demonstrate that AVIATOR achieves 91%-95% injection success rates, significantly surpassing existing automated dataset generation techniques in both accuracy and scope of software vulnerabilities.

翻译：软件系统日益复杂，网络攻击手段日趋精密，这凸显了对高效自动化漏洞检测与修复系统的迫切需求。基于深度学习模型的数据驱动方法展现出潜力，但其效果关键依赖于大规模、标注准确的数据集的可用性。然而，现有数据集要么存在标签噪声问题，要么漏洞类型覆盖范围有限，要么未能反映真实世界软件中实际出现的漏洞。这也限制了对此类解决方案进行大规模基准测试的能力。自动化漏洞注入为直接解决这些数据集局限性提供了一种途径，但现有技术在覆盖范围、上下文保真度或注入成功率方面仍然存在不足。本文提出了AVIATOR，首个AI代理驱动的漏洞注入工作流。它能够自动注入特定类别的、逼真的漏洞，用于生成高保真、多样化、大规模的漏洞数据集。与以往单一化的方法不同，AVIATOR协调了专门的AI代理、功能代理以及传统代码分析工具，以复现专家推理过程。它结合了语义分析、通过基于LoRA的微调和检索增强生成技术增强的注入合成，以及通过静态分析和基于LLM的判别器进行的注入后验证。这种模块化分解使得专门代理能够专注于不同的任务，从而提高了注入的鲁棒性，并减少了工作流中的错误传播。在三个不同基准测试上的评估表明，AVIATOR实现了91%-95%的注入成功率，在软件漏洞的准确性和覆盖范围上均显著超越了现有的自动化数据集生成技术。