FedMVA：通过联邦多模态学习增强软件漏洞评估

IF 3.7 2区计算机科学 Q1 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Journal of Systems and Software Pub Date : 2025-05-02 DOI:10.1016/j.jss.2025.112469

Qingyun Liu , Xiaolin Ju , Xiang Chen , Lina Gong

{"title":"FedMVA：通过联邦多模态学习增强软件漏洞评估","authors":"Qingyun Liu , Xiaolin Ju , Xiang Chen , Lina Gong","doi":"10.1016/j.jss.2025.112469","DOIUrl":null,"url":null,"abstract":"<div><div>Software Vulnerability Assessment plays a crucial role in identifying and evaluating security vulnerabilities in software systems and prioritizing their resolution. However, as concerns about data privacy and security continue to grow, traditional vulnerability assessment methods struggle to balance effectiveness with privacy protection, particularly in heterogeneous data environments. To address this challenge, we propose a novel federated multimodal vulnerability assessment framework (FedMVA), designed with privacy preservation at its core. FedMVA leverages federated learning, enabling local model training without sharing data, thereby protecting sensitive information while ensuring efficient vulnerability evaluation. Our framework also incorporates multimodal data, including code structure, lexical features, and developer comments, fully utilizing the complementary nature of these modalities. We introduce a weighted variance minimization loss function to improve the alignment between local and global models and adopt a momentum-based weight allocation strategy with a dynamic learning rate mechanism to enhance the model’s robustness and adaptability across diverse data environments. Extensive ablation studies demonstrate that FedMVA outperforms existing methods in multiple performance metrics, significantly improving the precision of vulnerability assessment. This work highlights the advantages of integrating multimodal data within a federated learning framework, providing an innovative and promising solution for effective and privacy-preserving vulnerability assessment in complex software systems.</div><div><em>Editor’s note: Open Science material was validated by the Journal of Systems and Software Open Science Board</em>.</div></div>","PeriodicalId":51099,"journal":{"name":"Journal of Systems and Software","volume":"228 ","pages":"Article 112469"},"PeriodicalIF":3.7000,"publicationDate":"2025-05-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"FedMVA: Enhancing software vulnerability assessment via federated multimodal learning\",\"authors\":\"Qingyun Liu , Xiaolin Ju , Xiang Chen , Lina Gong\",\"doi\":\"10.1016/j.jss.2025.112469\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Software Vulnerability Assessment plays a crucial role in identifying and evaluating security vulnerabilities in software systems and prioritizing their resolution. However, as concerns about data privacy and security continue to grow, traditional vulnerability assessment methods struggle to balance effectiveness with privacy protection, particularly in heterogeneous data environments. To address this challenge, we propose a novel federated multimodal vulnerability assessment framework (FedMVA), designed with privacy preservation at its core. FedMVA leverages federated learning, enabling local model training without sharing data, thereby protecting sensitive information while ensuring efficient vulnerability evaluation. Our framework also incorporates multimodal data, including code structure, lexical features, and developer comments, fully utilizing the complementary nature of these modalities. We introduce a weighted variance minimization loss function to improve the alignment between local and global models and adopt a momentum-based weight allocation strategy with a dynamic learning rate mechanism to enhance the model’s robustness and adaptability across diverse data environments. Extensive ablation studies demonstrate that FedMVA outperforms existing methods in multiple performance metrics, significantly improving the precision of vulnerability assessment. This work highlights the advantages of integrating multimodal data within a federated learning framework, providing an innovative and promising solution for effective and privacy-preserving vulnerability assessment in complex software systems.</div><div><em>Editor’s note: Open Science material was validated by the Journal of Systems and Software Open Science Board</em>.</div></div>\",\"PeriodicalId\":51099,\"journal\":{\"name\":\"Journal of Systems and Software\",\"volume\":\"228 \",\"pages\":\"Article 112469\"},\"PeriodicalIF\":3.7000,\"publicationDate\":\"2025-05-02\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Systems and Software\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0164121225001372\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, SOFTWARE ENGINEERING\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Systems and Software","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0164121225001372","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

摘要

软件漏洞评估在识别和评估软件系统中的安全漏洞并确定解决方案的优先级方面起着至关重要的作用。然而，随着对数据隐私和安全的关注不断增加，传统的漏洞评估方法难以平衡有效性和隐私保护，特别是在异构数据环境中。为了应对这一挑战，我们提出了一种以隐私保护为核心的新型联邦多模式脆弱性评估框架（FedMVA）。FedMVA利用联邦学习，在不共享数据的情况下进行本地模型训练，从而保护敏感信息，同时确保有效的漏洞评估。我们的框架还集成了多模态数据，包括代码结构、词法特征和开发人员注释，充分利用了这些模态的互补性。我们引入加权方差最小化损失函数来改善局部和全局模型之间的一致性，并采用基于动量的权重分配策略和动态学习率机制来增强模型在不同数据环境下的鲁棒性和适应性。广泛的消融研究表明，FedMVA在多个性能指标上优于现有方法，显著提高了脆弱性评估的精度。这项工作强调了在联邦学习框架内集成多模态数据的优势，为复杂软件系统中有效和保护隐私的漏洞评估提供了一种创新和有前途的解决方案。编者注：开放科学材料由系统与软件开放科学委员会杂志验证。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

FedMVA: Enhancing software vulnerability assessment via federated multimodal learning

Software Vulnerability Assessment plays a crucial role in identifying and evaluating security vulnerabilities in software systems and prioritizing their resolution. However, as concerns about data privacy and security continue to grow, traditional vulnerability assessment methods struggle to balance effectiveness with privacy protection, particularly in heterogeneous data environments. To address this challenge, we propose a novel federated multimodal vulnerability assessment framework (FedMVA), designed with privacy preservation at its core. FedMVA leverages federated learning, enabling local model training without sharing data, thereby protecting sensitive information while ensuring efficient vulnerability evaluation. Our framework also incorporates multimodal data, including code structure, lexical features, and developer comments, fully utilizing the complementary nature of these modalities. We introduce a weighted variance minimization loss function to improve the alignment between local and global models and adopt a momentum-based weight allocation strategy with a dynamic learning rate mechanism to enhance the model’s robustness and adaptability across diverse data environments. Extensive ablation studies demonstrate that FedMVA outperforms existing methods in multiple performance metrics, significantly improving the precision of vulnerability assessment. This work highlights the advantages of integrating multimodal data within a federated learning framework, providing an innovative and promising solution for effective and privacy-preserving vulnerability assessment in complex software systems.

Editor’s note: Open Science material was validated by the Journal of Systems and Software Open Science Board.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Journal of Systems and Software 工程技术-计算机：理论方法

CiteScore

8.60

自引率

5.70%

发文量

193

审稿时长

16 weeks

期刊介绍： The Journal of Systems and Software publishes papers covering all aspects of software engineering and related hardware-software-systems issues. All articles should include a validation of the idea presented, e.g. through case studies, experiments, or systematic comparisons with other approaches already in practice. Topics of interest include, but are not limited to: •Methods and tools for, and empirical studies on, software requirements, design, architecture, verification and validation, maintenance and evolution •Agile, model-driven, service-oriented, open source and global software development •Approaches for mobile, multiprocessing, real-time, distributed, cloud-based, dependable and virtualized systems •Human factors and management concerns of software development •Data management and big data issues of software systems •Metrics and evaluation, data mining of software development resources •Business and economic aspects of software development processes The journal welcomes state-of-the-art surveys and reports of practical experience for all of these topics.