GPTGet

Improving Generalization on Cybersecurity Tasks with Multi-Modal Contrastive Learning

TL;DR

SALM framework improves generalization in cybersecurity tasks using multi-modal contrastive learning, especially for text and payload data.

cs.CR 🔴 Advanced 2026-03-21 67 views
Jianan Huang Rodolfo V. Valentim Luca Vassio Matteo Boffa Marco Mellia Idilio Drago Dario Rossi
AI Reader Arxiv Page Download PDF
multi-modal learning contrastive learning cybersecurity generalization machine learning

Key Findings

Methodology

This study introduces a two-stage multi-modal contrastive learning framework called SALM (Semantically Aligned Language Models). In the first stage, a semantically meaningful embedding space is constructed through contrastive learning on vulnerability descriptions. In the second stage, payloads are aligned to this space, transferring knowledge from text to payloads. The approach is validated on a large-scale private dataset and a synthetic benchmark, demonstrating advantages in reducing shortcut learning.

Key Results

  • On a private dataset with temporal splits, SALM achieved 0.68 accuracy in challenging scenarios, significantly improving over Cross-Entropy Finetuning (0.62) and Nearest Neighbor (0.49).
  • SALM also showed similar gains on the synthetic benchmark, indicating its generalization capability across different distributions.
  • Through contrastive learning, SALM was able to form clear semantic structures in the text embedding space and successfully transfer this structure to payload data.

Significance

This research is significant in the field of cybersecurity as it addresses the issue of poor generalization of machine learning models in real-world production environments. By employing multi-modal contrastive learning, the study demonstrates how knowledge from data-rich modalities like text can enhance the performance of data-scarce modalities like payloads. This approach not only holds theoretical value in academia but also offers a more robust cybersecurity solution for the industry.

Technical Contribution

Technical contributions include the introduction of a novel multi-modal contrastive learning framework that enables knowledge transfer between different modalities. Compared to existing SOTA methods, SALM avoids catastrophic forgetting by freezing the text encoder and optimizes the semantic structure of the embedding space through contrastive learning. This provides new engineering possibilities for payload classification in cybersecurity tasks.

Novelty

This study is the first to apply a multi-modal contrastive learning framework in cybersecurity tasks, achieving knowledge transfer from text to payloads. Compared to related work, SALM optimizes the semantic structure of the embedding space through contrastive learning, significantly reducing shortcut learning.

Limitations

  • The method performs poorly on certain rare or ambiguous classes, possibly due to data scarcity and semantic overlap in the vendor's classification standards.
  • An accuracy of 0.68 is still far from production-grade reliability, possibly requiring richer textual descriptions to further improve performance.
  • Current experiments are limited to a single cybersecurity task, requiring broader validation across other tasks.

Future Work

Future research directions include validating the generalizability of the method across more cybersecurity tasks, exploring more sophisticated triplet mining strategies to improve contrastive learning efficiency, and verifying SALM's zero-shot transfer capability on new vulnerability categories.

AI Executive Summary

In the field of cybersecurity, the generalization capability of machine learning models has long been a challenge. While these models perform well in controlled environments, they often struggle to maintain their performance in real-world production. This is primarily because models tend to learn superficial patterns rather than deep cybersecurity concepts.

This study introduces a multi-modal contrastive learning framework called SALM, aimed at improving model performance in cybersecurity tasks by transferring knowledge from data-rich modalities like text to data-scarce modalities like payloads. The SALM framework operates in two stages: first, a semantically meaningful embedding space is constructed through contrastive learning on vulnerability descriptions; then, payloads are aligned to this space, transferring knowledge from text to payloads.

In experiments, SALM was validated on a large-scale private dataset and a synthetic benchmark built from public CVE descriptions and LLM-generated payloads. In challenging scenarios, SALM achieved 0.68 accuracy, significantly improving over traditional methods. This indicates that contrastive learning can effectively reduce shortcut learning.

The study holds significant academic value and offers a more robust cybersecurity solution for the industry by demonstrating how knowledge from data-rich modalities like text can enhance the performance of data-scarce modalities like payloads.

However, SALM performs poorly on certain rare or ambiguous classes, possibly due to data scarcity and semantic overlap in the vendor's classification standards. Additionally, an accuracy of 0.68 is still far from production-grade reliability. Future research directions include validating the generalizability of the method across more cybersecurity tasks, exploring more sophisticated triplet mining strategies to improve contrastive learning efficiency, and verifying SALM's zero-shot transfer capability on new vulnerability categories.

Deep Analysis

Background

In recent years, the application of machine learning in cybersecurity has become increasingly widespread. However, these models often face the challenge of poor generalization in real-world applications. Many studies have shown that while models perform well in controlled environments, they struggle to maintain their performance in real-world production. This is primarily because models tend to learn superficial patterns (shortcuts) rather than deep cybersecurity concepts. To address this challenge, researchers have begun exploring multi-modal learning methods, hoping to enhance model generalization by transferring knowledge from data-rich modalities like text to data-scarce modalities like payloads.

Core Problem

The core problem in cybersecurity tasks is how to improve the generalization capability of models so that they can maintain good performance in real-world production environments. Existing machine learning models tend to learn superficial patterns rather than deep cybersecurity concepts, leading to poor performance when faced with new or unseen data. Additionally, payload data is often scarce, making it difficult to effectively train models using traditional supervised learning methods.

Innovation

The core innovation of this study is the introduction of a multi-modal contrastive learning framework called SALM. • SALM constructs a semantically meaningful embedding space through contrastive learning, enabling models to better understand and classify payload data. • By freezing the text encoder, SALM avoids catastrophic forgetting and optimizes the semantic structure of the embedding space through contrastive learning. • The method is validated on a large-scale private dataset and a synthetic benchmark, demonstrating advantages in reducing shortcut learning.

Methodology

The SALM framework operates in two stages:

  • �� In the first stage, a semantically meaningful embedding space is constructed through contrastive learning on vulnerability descriptions. Specifically, the study uses a triplet loss function to optimize the text encoder, bringing embeddings of the same class closer together while pushing embeddings of different classes further apart.
  • �� In the second stage, payloads are aligned to this space using a frozen text encoder, transferring knowledge from text to payloads. The study uses an alignment loss function to optimize the payload encoder, aligning payload embeddings with corresponding text description embeddings.

Experiments

The experimental design includes validation on a large-scale private dataset and a synthetic benchmark built from public CVE descriptions and LLM-generated payloads. • The private dataset contains 29,675 textual descriptions and 601,518 payloads, with experiments simulating zero-day conditions through temporal splits. • The synthetic benchmark is used to test the model's generalization capability on out-of-distribution data. • The study compares SALM's performance with three baseline methods, including TF-IDF+RF, CodeBERT+MLP, and Embedding Similarity.

Results

Experimental results show that SALM achieved 0.68 accuracy in challenging scenarios, significantly improving over Cross-Entropy Finetuning (0.62) and Nearest Neighbor (0.49). SALM also showed similar gains on the synthetic benchmark, indicating its generalization capability across different distributions. Additionally, through contrastive learning, SALM was able to form clear semantic structures in the text embedding space and successfully transfer this structure to payload data.

Applications

The SALM framework has wide-ranging applications in the field of cybersecurity. • Direct applications include the classification and detection of malicious HTTP payloads, helping organizations better identify and defend against cyberattacks. • The method can also be applied to other tasks requiring multi-modal data fusion, such as intrusion detection and malware family classification. • By reducing dependence on large annotated datasets, SALM offers a more cost-effective cybersecurity solution for small and medium-sized enterprises.

Limitations & Outlook

Despite its impressive performance, SALM has some limitations. • First, the method performs poorly on certain rare or ambiguous classes, possibly due to data scarcity and semantic overlap in the vendor's classification standards. • Second, an accuracy of 0.68 is still far from production-grade reliability, possibly requiring richer textual descriptions to further improve performance. • Additionally, current experiments are limited to a single cybersecurity task, requiring broader validation across other tasks.

Plain Language Accessible to non-experts

Imagine you're cooking in a kitchen. You have a lot of ingredients but don't know how to combine them to make delicious dishes. Now, there's a cookbook that details the recipes and the ingredients needed for each dish. This cookbook is like the text descriptions, and the ingredients are like the payload data. Our goal is to learn from the cookbook to better understand and use these ingredients to make delicious dishes.

In this process, we first need to understand the core elements of each dish, such as what kind of spices are needed and how to pair the ingredients. This is like contrastive learning, where we analyze the descriptions in the cookbook to build a semantic space about the dishes. Then, we apply this knowledge to actual cooking, trying to combine the ingredients into delicious dishes.

By doing this, we can not only make better use of the existing ingredients but also quickly find the right way to deal with new ingredients. This is the core idea of multi-modal contrastive learning: enhancing the understanding and application of payload data by learning knowledge from text.

Ultimately, our goal is to make a table of delicious dishes, just like successfully identifying and classifying cyberattacks. Through this method, we can better protect our network security and prevent potential threats.

ELI14 Explained like you're 14

Hey there, young tech enthusiasts! Today, we're diving into a super cool technology called multi-modal contrastive learning. Imagine you're playing a game where you need to solve puzzles using different clues. You have some text hints and some pictures. Our goal is to use these clues to find the hidden treasure!

First, we need to understand the text hints. It's like reading a storybook filled with clues about the treasure. We need to read carefully and find the connections between each clue. This is the first step of contrastive learning: analyzing the text to build a semantic space about the clues.

Next, we apply these clues to the pictures. It's like looking at a map to find the treasure's location. We need to combine the text hints and pictures to find the right path. This is the second step of contrastive learning: aligning text and pictures to enhance our understanding and application of payload data.

By doing this, we can not only make better use of the existing clues but also quickly find the right solution when faced with new clues. Ultimately, our goal is to find the hidden treasure, just like successfully identifying and classifying cyberattacks. Isn't that super cool?

Glossary

Multi-Modal Contrastive Learning

A method that achieves knowledge transfer between different modalities through contrastive learning. It optimizes the embedding space by bringing similar samples closer and pushing dissimilar ones apart.

Used in this paper for knowledge transfer from text to payloads.

Shortcut Learning

A phenomenon where models tend to learn superficial patterns rather than deep concepts, leading to poor generalization.

Identified as a major cause of poor generalization in models.

Semantic Alignment

The process of aligning data from different modalities to a common semantic space through contrastive learning.

Used in the SALM framework to align payload data to the text description embedding space.

Triplet Loss

A loss function used in contrastive learning that minimizes the distance between an anchor sample and a positive sample while maximizing the distance between the anchor and a negative sample.

Used to optimize the text encoder's embedding space.

Frozen Encoder

An encoder whose parameters remain unchanged during training to prevent catastrophic forgetting and provide stable target embeddings.

Used in the second stage of the SALM framework to align payload data.

Zero-Shot Transfer

The ability to apply a model to new categories without retraining, enhancing its adaptability.

Supported by the SALM framework but requires further validation.

Synthetic Benchmark

A benchmark dataset used to test a model's generalization capability on out-of-distribution data.

Used in this paper to validate SALM's generalization capability.

Alignment Loss

A loss function used to align the embeddings of a student model to those of a teacher model.

Used in the second stage of the SALM framework to optimize the payload encoder.

Semantic Space

An embedding space constructed through contrastive learning where similar samples are closer together, and dissimilar samples are further apart.

Used in the SALM framework to organize text and payload data.

Payload Data

In cybersecurity tasks, refers to data such as HTTP requests and responses.

Used in this paper to test the generalization capability of the SALM framework.

Open Questions Unanswered questions from this research

  • 1 How can the generalizability of the SALM method be validated across more cybersecurity tasks? Current research is limited to a single task, requiring broader validation across other tasks.
  • 2 How can SALM's performance be further improved on rare or ambiguous classes? These classes suffer from data scarcity and semantic overlap, possibly requiring richer textual descriptions.
  • 3 What is SALM's zero-shot transfer capability on new vulnerability categories? While SALM supports this capability, dedicated experiments are needed for validation.
  • 4 How can triplet mining strategies be optimized to improve contrastive learning efficiency? Current strategies may be inefficient in some cases, requiring further exploration.
  • 5 How can dependence on large annotated datasets be reduced? SALM has shown potential in this area, but further research is needed to validate its effectiveness in different scenarios.

Applications

Immediate Applications

Malicious HTTP Payload Classification

SALM can help organizations better identify and defend against cyberattacks, especially when dealing with malicious HTTP payloads. Through contrastive learning, the model can more accurately classify and detect potential threats.

Intrusion Detection

By applying SALM to intrusion detection systems, organizations can more effectively identify anomalous behavior and potential attacks, enhancing overall network security.

Malware Family Classification

SALM can be used for malware family classification tasks, helping security experts better understand and respond to different types of malware threats.

Long-term Vision

Cross-Modal Data Fusion

SALM's multi-modal contrastive learning framework offers new possibilities for cross-modal data fusion, which can be applied to more fields in the future, such as healthcare and finance.

Zero-Shot Transfer Capability

SALM's zero-shot transfer capability can be used in the future to address emerging cyber threats without retraining the model, improving response speed and efficiency.

Abstract

The use of ML in cybersecurity has long been impaired by generalization issues: Models that work well in controlled scenarios fail to maintain performance in production. The root cause often lies in ML algorithms learning superficial patterns (shortcuts) rather than underlying cybersecurity concepts. We investigate contrastive multi-modal learning as a first step towards improving ML performance in cybersecurity tasks. We aim at transferring knowledge from data-rich modalities, such as text, to data-scarce modalities, such as payloads. We set up a case study on threat classification and propose a two-stage multi-modal contrastive learning framework that uses textual vulnerability descriptions to guide payload classification. First, we construct a semantically meaningful embedding space using contrastive learning on descriptions. Then, we align payloads to this space, transferring knowledge from text to payloads. We evaluate the approach on a large-scale private dataset and a synthetic benchmark built from public CVE descriptions and LLM-generated payloads. The methodology appears to reduce shortcut learning over baselines on both benchmarks. We release our synthetic benchmark and source code as open source.

cs.CR cs.AI