The increasing complexity of software systems and the sophistication of cyber-attacks have underscored the need for reliable automated software vulnerability detection. Data-driven approaches using deep learning models show promise but critically depend on the availability of large, accurately labeled datasets. Yet existing datasets either suffer from noisy labels, limited vulnerability coverage, or fail to reflect vulnerabilities as they occur in real-world software. This also limits large-scale benchmarking of such solutions. Automated vulnerability injection provides a way to address these limitations, but existing techniques remain limited in coverage, contextual fidelity, or injection success. In this paper, we present AVIATOR, the first AI-agentic vulnerability injection framework. AVIATOR decomposes vulnerability injection into a coordinated workflow of specialized AI agents, tool-based analysis, and iterative self-correction, explicitly mirroring expert reasoning. It integrates RAG and lightweight LoRA-based fine-tuning to produce realistic, category-specific vulnerabilities without relying on handcrafted patterns. Across three benchmarks, AVIATOR achieves high injection fidelity (91-95%) surpassing existing injection techniques in both accuracy and vulnerability coverage. When used for data augmentation to train deep learning-based vulnerability detection (DLVD) models, AVIATOR provides the strongest downstream gains in vulnerability detection. Across models and base datasets, AVIATOR improves average F1 scores by +22% over no augmentation, +25% over VGX, holding the prior best injection success rate, and +3% over VulScribeR, the prior state-of-the-art LLM-based injection model, with +7% higher recall and no precision loss. Its augmented data exhibits the lowest distributional distortion and scales efficiently with <2% syntax rejection at 4.3x lower cost than VulScribeR.

翻译：摘要：随着软件系统日益复杂与网络攻击手段不断升级，对可靠的自动化软件漏洞检测需求愈发迫切。基于深度学习的数据驱动方法展现出应用前景，但其有效性高度依赖于大规模、精确标注数据集的可用性。然而现有数据集存在标签噪声大、漏洞覆盖范围有限、或无法真实反映现实软件中漏洞特征等问题，这也制约了此类解决方案的大规模基准测试。自动化漏洞注入为突破上述局限提供了可行途径，但现有技术在覆盖范围、上下文保真度或注入成功率方面仍存在局限。本文提出AVIATOR，这是首个基于AI智能体驱动的漏洞注入框架。AVIATOR将漏洞注入分解为由专业AI智能体集群、工具分析及迭代自纠错构成的协同工作流，明确模拟专家推理过程。该框架集成RAG与基于LoRA的轻量级微调技术，无需依赖人工模式即可生成逼真、类型特定的漏洞。在三个基准测试中，AVIATOR实现了91-95%的高注入保真度，在准确率和漏洞覆盖率方面均超越现有注入技术。当用于数据增强以训练基于深度学习的漏洞检测（DLVD）模型时，AVIATOR在漏洞检测方面取得了最佳下游增益。跨模型与基础数据集，AVIATOR将平均F1分数较无增强提升22%，较此前最佳注入成功率保持者VGX提升25%，较先前最先进的基于LLM的注入模型VulScribeR提升3%，同时召回率提高7%且精度无损。其增强数据呈现出最低的分布畸变，并以低于VulScribeR 4.3倍的成本实现<2%的语法拒绝率，具备高效可扩展性。