Abstract
Vulnerability detection is crucial for ensuring the security and reliability of software systems. Recently, Graph Neural Networks (GNNs) have emerged as a prominent code embedding approach for vulnerability detection, owing to their ability to capture the underlying semantic structure of source code. However, GNNs face significant challenges in explainability due to their inherently black-box nature. To this end, several factual reasoning-based explainers have been proposed. These explainers provide explanations for the predictions made by GNNs by analyzing the key features that contribute to the outcomes. We argue that these factual reasoning-based explanations cannot answer critical what-if questions: What would happen to the GNN's decision if we were to alter the code graph into alternative structures? Inspired by advancements of counterfactual reasoning in artificial intelligence, we propose CFExplainer, a novel counterfactual explainer for GNN-based vulnerability detection. Unlike factual reasoning-based explainers, CFExplainer seeks the minimal perturbation to the input code graph that leads to a change in the prediction, thereby addressing the what-if questions for vulnerability detection. We term this perturbation a counterfactual explanation, which can pinpoint the root causes of the detected vulnerability and furnish valuable insights for developers to undertake appropriate actions for fixing the vulnerability. Extensive experiments on four GNN-based vulnerability detection models demonstrate the effectiveness of CFExplainer over existing state-of-the-art factual reasoning-based explainers.
Abstract (translated)
漏洞检测对于确保软件系统的安全可靠至关重要。近年来,图神经网络(GNNs)作为一种显著的代码嵌入方法,成为检测漏洞的突出方法,因为它们具有捕捉源代码潜在语义结构的能力。然而,由于GNNs固有的黑盒性质,它们在可解释性方面面临着重大挑战。为此,已经提出了几种基于事实推理的解释器。这些解释器通过分析对结果产生重要影响的特征来解释GNNs的预测。我们认为,这些基于事实推理的解释器无法回答关键的假设性问题:如果我们改变代码图,GNN的决策会怎样?受到人工智能中反事实推理的进展启发,我们提出了CFExplainer,一种基于GNN的漏洞检测的新反事实解释器。与基于事实推理的解释器不同,CFExplainer寻求对输入代码图的最小扰动,从而解决检测问题中的假设性问题。我们将这种扰动称为反事实解释,它可以指出检测到的漏洞的根本原因,并为开发人员提供有关采取相应措施修复漏洞的有价值的见解。在四个基于GNN的漏洞检测模型上进行的大量实验证明,CFExplainer比现有的基于事实推理的解释器更有效。
URL
https://arxiv.org/abs/2404.15687
