Improving distributed learning-based vulnerability detection via multi-modal prompt tuning

IF 4.1 2区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING Journal of Systems and Software Pub Date : 2025-03-27 DOI:10.1016/j.jss.2025.112442

Zilong Ren , Xiaolin Ju , Xiang Chen , Yubin Qu

{"title":"Improving distributed learning-based vulnerability detection via multi-modal prompt tuning","authors":"Zilong Ren , Xiaolin Ju , Xiang Chen , Yubin Qu","doi":"10.1016/j.jss.2025.112442","DOIUrl":null,"url":null,"abstract":"<div><div>Software vulnerabilities pose significant threats to the integrity and reliability of complex systems, making their detection critical. In recent years, a growing body of research has explored deep learning-based approaches for identifying vulnerabilities, which have shown promising results. However, many of these methods ignore privacy and security issues. We utilize distributed learning techniques that enable local models to interact without data sharing. By aggregating these locally trained models, we can update the global model while maintaining data privacy and security. Additionally, existing methods rely on a single source of code semantic information. However, leveraging multiple modalities can capture diverse code representations and features. Specifically, graph-based representations and source code provide structural and syntactic-semantic information that complements traditional code analysis. In this study, we propose a novel function-level vulnerability detection approach MIVDL. It integrates both structured and unstructured features of source code. Then, it further combines the code token sequence with the Code Property Graph (CPG) for enhanced detection accuracy. This hybrid representation leverages the strengths of different modalities to provide a comprehensive understanding of code semantics. Furthermore, our approach employs a pre-trained model applied to distinct parts of each modality before being integrated into a single hybrid representation. This allows a unified analysis framework to utilize each modality’s unique features and strengths. Additionally, distributed learning facilitates collaborative learning and knowledge-sharing among participating entities. We evaluate MIVDL on three datasets (Devign, Reveal, and Big-Vul), and the results indicate that MIVDL outperformed eight state-of-the-art baselines by 3.04<span><math><mo>∼</mo></math></span>70.73% in terms of F1-score. Therefore, combining multi-modal prompt tuning and distributed learning can improve performance in vulnerability detection.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"226 ","pages":"Article 112442"},"PeriodicalIF":4.1000,"publicationDate":"2025-03-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems and Software","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0164121225001104","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

Abstract

Software vulnerabilities pose significant threats to the integrity and reliability of complex systems, making their detection critical. In recent years, a growing body of research has explored deep learning-based approaches for identifying vulnerabilities, which have shown promising results. However, many of these methods ignore privacy and security issues. We utilize distributed learning techniques that enable local models to interact without data sharing. By aggregating these locally trained models, we can update the global model while maintaining data privacy and security. Additionally, existing methods rely on a single source of code semantic information. However, leveraging multiple modalities can capture diverse code representations and features. Specifically, graph-based representations and source code provide structural and syntactic-semantic information that complements traditional code analysis. In this study, we propose a novel function-level vulnerability detection approach MIVDL. It integrates both structured and unstructured features of source code. Then, it further combines the code token sequence with the Code Property Graph (CPG) for enhanced detection accuracy. This hybrid representation leverages the strengths of different modalities to provide a comprehensive understanding of code semantics. Furthermore, our approach employs a pre-trained model applied to distinct parts of each modality before being integrated into a single hybrid representation. This allows a unified analysis framework to utilize each modality’s unique features and strengths. Additionally, distributed learning facilitates collaborative learning and knowledge-sharing among participating entities. We evaluate MIVDL on three datasets (Devign, Reveal, and Big-Vul), and the results indicate that MIVDL outperformed eight state-of-the-art baselines by 3.04

\sim

70.73% in terms of F1-score. Therefore, combining multi-modal prompt tuning and distributed learning can improve performance in vulnerability detection.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

通过多模态提示调优改进分布式学习漏洞检测

软件漏洞对复杂系统的完整性和可靠性构成重大威胁，因此对其进行检测至关重要。近年来，越来越多的研究探索了基于深度学习的方法来识别漏洞，这些方法已经显示出有希望的结果。然而，这些方法中的许多都忽略了隐私和安全问题。我们利用分布式学习技术，使本地模型在没有数据共享的情况下进行交互。通过聚合这些局部训练的模型，我们可以在保持数据隐私和安全性的同时更新全局模型。此外，现有方法依赖于单一的代码语义信息源。然而，利用多种模式可以捕获不同的代码表示和特性。具体来说，基于图的表示和源代码提供了结构和语法语义信息，补充了传统的代码分析。在这项研究中，我们提出了一种新的功能级漏洞检测方法MIVDL。它集成了源代码的结构化和非结构化特性。然后，它进一步将代码标记序列与代码属性图（CPG）相结合，以提高检测精度。这种混合表示利用了不同模式的优势，提供了对代码语义的全面理解。此外，我们的方法采用了一个预训练的模型，应用于每个模态的不同部分，然后集成到一个混合表示中。这允许一个统一的分析框架利用每个模态的独特特性和优势。此外，分布式学习促进了参与实体之间的协作学习和知识共享。我们在三个数据集（design、Reveal和Big-Vul）上对MIVDL进行了评估，结果表明，MIVDL在f1得分方面比8个最先进的基线高出3.04 ~ 70.73%。因此，将多模态提示调优与分布式学习相结合，可以提高漏洞检测的性能。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Journal of Systems and Software 工程技术-计算机：理论方法

CiteScore

8.60

自引率

5.70%

发文量

193

审稿时长

16 weeks

期刊介绍： The Journal of Systems and Software publishes papers covering all aspects of software engineering and related hardware-software-systems issues. All articles should include a validation of the idea presented, e.g. through case studies, experiments, or systematic comparisons with other approaches already in practice. Topics of interest include, but are not limited to: •Methods and tools for, and empirical studies on, software requirements, design, architecture, verification and validation, maintenance and evolution •Agile, model-driven, service-oriented, open source and global software development •Approaches for mobile, multiprocessing, real-time, distributed, cloud-based, dependable and virtualized systems •Human factors and management concerns of software development •Data management and big data issues of software systems •Metrics and evaluation, data mining of software development resources •Business and economic aspects of software development processes The journal welcomes state-of-the-art surveys and reports of practical experience for all of these topics.