Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
184 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Graph Neural Networks for Vulnerability Detection: A Counterfactual Explanation (2404.15687v2)

Published 24 Apr 2024 in cs.SE, cs.AI, and cs.CR

Abstract: Vulnerability detection is crucial for ensuring the security and reliability of software systems. Recently, Graph Neural Networks (GNNs) have emerged as a prominent code embedding approach for vulnerability detection, owing to their ability to capture the underlying semantic structure of source code. However, GNNs face significant challenges in explainability due to their inherently black-box nature. To this end, several factual reasoning-based explainers have been proposed. These explainers provide explanations for the predictions made by GNNs by analyzing the key features that contribute to the outcomes. We argue that these factual reasoning-based explanations cannot answer critical what-if questions: What would happen to the GNN's decision if we were to alter the code graph into alternative structures? Inspired by advancements of counterfactual reasoning in artificial intelligence, we propose CFExplainer, a novel counterfactual explainer for GNN-based vulnerability detection. Unlike factual reasoning-based explainers, CFExplainer seeks the minimal perturbation to the input code graph that leads to a change in the prediction, thereby addressing the what-if questions for vulnerability detection. We term this perturbation a counterfactual explanation, which can pinpoint the root causes of the detected vulnerability and furnish valuable insights for developers to undertake appropriate actions for fixing the vulnerability. Extensive experiments on four GNN-based vulnerability detection models demonstrate the effectiveness of CFExplainer over existing state-of-the-art factual reasoning-based explainers.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (68)
  1. 2021. Facebook Infer: a tool to detect bugs in Java and C/C++/Objective-C code. https://fbinfer.com/.
  2. 2021. Joern - The Bug Hunter’s Workbench. https://joern.io/.
  3. Carlo Abrate and Francesco Bonchi. 2021. Counterfactual Graphs for Explainable Classification of Brain Networks. In Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining (Virtual Event, Singapore) (KDD ’21). Association for Computing Machinery, New York, NY, USA, 2495–2504.
  4. Robust Counterfactual Explanations on Graph Neural Networks. In Proceedings of Advances in Neural Information Processing Systems 34: Annual Conference on Neural Information Processing Systems 2021, NeurIPS 2021, December 6-14, 2021, virtual. 5644–5655.
  5. AutoFocus: Interpreting Attention-Based Neural Networks by Code Perturbation. In Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering (ASE). 38–41.
  6. Deep Learning Based Vulnerability Detection: Are We There Yet? IEEE Transactions on Software Engineering 48, 9 (2022), 3280–3296.
  7. DeepWukong: Statically Detecting Software Vulnerabilities Using Deep Graph Neural Network. ACM Trans. Softw. Eng. Methodol. 30, 3, Article 38 (apr 2021), 33 pages.
  8. Learning Phrase Representations using RNN Encoder–Decoder for Statistical Machine Translation. In Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP). Association for Computational Linguistics, Doha, Qatar, 1724–1734.
  9. Explaining Mispredictions of Machine Learning Models Using Rule Induction. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Athens, Greece) (ESEC/FSE 2021). Association for Computing Machinery, New York, NY, USA, 716–727.
  10. Counterfactual Explanations for Models of Code. In Proceedings of the 44th International Conference on Software Engineering: Software Engineering in Practice (Pittsburgh, Pennsylvania) (ICSE-SEIP ’22). Association for Computing Machinery, New York, NY, USA, 125–134.
  11. Spectrum-based software fault localization: A survey of techniques, advances, and challenges. arXiv preprint arXiv:1607.04347 (2016).
  12. VELVET: a noVel Ensemble Learning approach to automatically locate VulnErable sTatements. In Proceedings of 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER). 959–970.
  13. A C/C++ Code Vulnerability Dataset with Code Changes and CVE Summaries. In Proceedings of the 17th International Conference on Mining Software Repositories (Seoul, Republic of Korea) (MSR ’20). Association for Computing Machinery, New York, NY, USA, 508–512.
  14. Michael Fu and Chakkrit Tantithamthavorn. 2022. LineVul: A Transformer-based Line-Level Vulnerability Prediction. In Proceedings of 2022 IEEE/ACM 19th International Conference on Mining Software Repositories (MSR). 608–620.
  15. Explaining Graph Neural Networks for Vulnerability Discovery. In Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security (Virtual Event, Republic of Korea) (AISec ’21). Association for Computing Machinery, New York, NY, USA, 145–156.
  16. CoBOT: Static C/C++ Bug Detection in the Presence of Incomplete Code. In Proceedings of the 26th IEEE/ACM International Conference on Program Comprehension (ICPC). 385–3853.
  17. Causal Inference in Statistics: A Primer. John Wiley & Sons.
  18. Hierarchical Attention Network for Interpretable and Fine-Grained Vulnerability Detection. In Proceedings of the IEEE INFOCOM 2022 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). 1–6.
  19. GraphCodeBERT: Pre-training Code Representations with Data Flow. In Proceedings of the 9th International Conference on Learning Representations, ICLR 2021, Virtual Event, Austria, May 3-7, 2021.
  20. LineVD: Statement-Level Vulnerability Detection Using Graph Neural Networks. In Proceedings of the 19th International Conference on Mining Software Repositories (Pittsburgh, Pennsylvania) (MSR ’22). Association for Computing Machinery, New York, NY, USA, 596–607.
  21. Interpreters for GNN-Based Vulnerability Detection: Are We There Yet?. In Proceedings of the 32nd International Symposium on Software Testing and Analysis, ISSTA 2023, Seattle, Washington, United States, July 18-20, 2023.
  22. Global Counterfactual Explainer for Graph Neural Networks. In Proceedings of the Sixteenth ACM International Conference on Web Search and Data Mining (Singapore, Singapore) (WSDM ’23). Association for Computing Machinery, New York, NY, USA, 141–149.
  23. A Critical Evaluation of Spectrum-Based Fault Localization Techniques on a Large-Scale Software System. In Proceedings of 2017 IEEE International Conference on Software Quality, Reliability and Security (QRS). 114–125.
  24. Diederick P. Kingma and Jimmy Ba. 2015. Adam: A method for stochastic optimization. In Proceedings of the International Conference on Learning Representations (ICLR).
  25. Thomas N. Kipf and Max Welling. 2017. Semi-Supervised Classification with Graph Convolutional Networks. In Proceedings of the 5th International Conference on Learning Representations, ICLR 2017, Toulon, France, April 24-26, 2017, Conference Track Proceedings. OpenReview.net.
  26. Be causal: De-biasing social network confounding in recommendation. ACM Transactions on Knowledge Discovery from Data 17, 1 (2023), 1–23.
  27. Causal optimal transport for treatment effect estimation. IEEE transactions on neural networks and learning systems 34, 8 (2021), 4083–4095.
  28. Gated Graph Sequence Neural Networks. In Proceedings of the 4th International Conference on Learning Representations, ICLR 2016, San Juan, Puerto Rico, May 2-4, 2016, Conference Track Proceedings.
  29. Vulnerability Detection with Fine-Grained Interpretations. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Athens, Greece) (ESEC/FSE 2021). Association for Computing Machinery, New York, NY, USA, 292–303.
  30. VulDeeLocator: A Deep Learning-Based Fine-Grained Vulnerability Detector. IEEE Transactions on Dependable and Secure Computing 19, 4 (2022), 2821–2837.
  31. VulDeePecker: A Deep Learning-Based System for Vulnerability Detection. In Proceedings of the 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018. The Internet Society.
  32. Generative causal explanations for graph neural networks. In Proceedings of the International Conference on Machine Learning. PMLR, 6666–6679.
  33. CF-GNNExplainer: Counterfactual Explanations for Graph Neural Networks. In Proceedings of The 25th International Conference on Artificial Intelligence and Statistics (Proceedings of Machine Learning Research, Vol. 151). PMLR, 4499–4511.
  34. Parameterized Explainer for Graph Neural Network. In Proceedings of the 34th International Conference on Neural Information Processing Systems (Vancouver, BC, Canada) (NIPS’20). Curran Associates Inc., Red Hook, NY, USA, Article 1646, 12 pages.
  35. CLEAR: Generative Counterfactual Explanations on Graphs. In Proceedings of the Advances in Neural Information Processing Systems.
  36. Weisfeiler and Leman Go Neural: Higher-Order Graph Neural Networks. In Proceedings of the Thirty-Third AAAI Conference on Artificial Intelligence and Thirty-First Innovative Applications of Artificial Intelligence Conference and Ninth AAAI Symposium on Educational Advances in Artificial Intelligence (Honolulu, Hawaii, USA) (AAAI’19/IAAI’19/EAAI’19). AAAI Press, Article 565, 8 pages.
  37. Danilo Numeroso and Davide Bacciu. 2021. Meg: Generating molecular counterfactual explanations for deep graph networks. In Proceedings of 2021 International Joint Conference on Neural Networks (IJCNN). IEEE, 1–8.
  38. Understanding Neural Code Intelligence through Program Simplification. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Athens, Greece) (ESEC/FSE 2021). Association for Computing Machinery, New York, NY, USA, 441–452.
  39. Neal J. Roese. 1997. Counterfactual thinking. Psychological Bulletin 121, 1 (1997), 133.
  40. Higher-Order Explanations of Graph Neural Networks via Relevant Walks. IEEE Transactions on Pattern Analysis and Machine Intelligence 44, 11 (2022), 7581–7596.
  41. Grad-CAM: Visual Explanations from Deep Networks via Gradient-Based Localization. In Proceedings of 2017 IEEE International Conference on Computer Vision (ICCV). 618–626.
  42. Interpreting Pretrained Source-code Models using Neuron Redundancy Analyses. arXiv preprint arXiv:2305.00875 (2023).
  43. Learning Important Features through Propagating Activation Differences. In Proceedings of the 34th International Conference on Machine Learning - Volume 70 (Sydney, NSW, Australia) (ICML’17). JMLR.org, 3145–3153.
  44. Mastering the game of Go without human knowledge. Nat. 550, 7676 (2017), 354–359.
  45. Yulei Sui and Jingling Xue. 2016. SVF: Interprocedural Static Value-Flow Analysis in LLVM. In Proceedings of the 25th International Conference on Compiler Construction (Barcelona, Spain) (CC 2016). Association for Computing Machinery, New York, NY, USA, 265–266.
  46. Probing Model Signal-Awareness via Prediction-Preserving Input Minimization. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering (Athens, Greece) (ESEC/FSE 2021). Association for Computing Machinery, New York, NY, USA, 945–955.
  47. Learning and Evaluating Graph Neural Network Explanations Based on Counterfactual and Factual Reasoning. In Proceedings of the ACM Web Conference 2022 (Virtual Event, Lyon, France) (WWW ’22). Association for Computing Machinery, New York, NY, USA, 1018–1027.
  48. Counterfactual Explainable Recommendation. In Proceedings of the 30th ACM International Conference on Information & Knowledge Management (Virtual Event, Queensland, Australia) (CIKM ’21). Association for Computing Machinery, New York, NY, USA, 1784–1793.
  49. ITS4: A static vulnerability scanner for C and C++ code. In Proceedings of the 16th Annual Computer Security Applications Conference. IEEE Computer Society, 257–267.
  50. Multi-modal attention network learning for semantic source code retrieval. In Proceedings of the 34th IEEE/ACM International Conference on Automated Software Engineering (San Diego, California) (ASE ’19). IEEE Press, 13–25.
  51. What do they capture? a structural analysis of pre-trained language models for source code. In Proceedings of the 44th International Conference on Software Engineering (Pittsburgh, Pennsylvania) (ICSE ’22). Association for Computing Machinery, New York, NY, USA, 2377–2388.
  52. Reinforced path reasoning for counterfactual explainable recommendation. IEEE Transactions on Knowledge and Data Engineering (2024).
  53. Mgpolicy: Meta graph enhanced off-policy learning for recommendations. In Proceedings of the 45th International ACM SIGIR Conference on Research and Development in Information Retrieval. 1369–1378.
  54. Competitive Multi-agent Deep Reinforcement Learning with Counterfactual Thinking. In 2019 IEEE International Conference on Data Mining (ICDM). 1366–1371. https://doi.org/10.1109/ICDM.2019.00175
  55. Model agnostic generation of counterfactual explanations for molecules. Chem. Sci. 13 (2022), 3697–3705. Issue 13.
  56. How Powerful are Graph Neural Networks?. In Proceedings of the 7th International Conference on Learning Representations, ICLR 2019, New Orleans, LA, USA, May 6-9, 2019. OpenReview.net.
  57. Modeling and Discovering Vulnerabilities with Code Property Graphs. In Proceedings of 2014 IEEE Symposium on Security and Privacy. 590–604.
  58. GNNExplainer: Generating Explanations for Graph Neural Networks. In Proceedings of the Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019, NeurIPS 2019, December 8-14, 2019, Vancouver, BC, Canada. 9240–9251.
  59. Counterfactual explainable conversational recommendation. IEEE Transactions on Knowledge and Data Engineering (2023).
  60. Deconfounded recommendation via causal intervention. Neurocomputing 529 (2023), 128–139.
  61. Causality-guided graph learning for session-based recommendation. In Proceedings of the 32nd ACM International Conference on Information and Knowledge Management. 3083–3093.
  62. Explainability in Graph Neural Networks: A Taxonomic Survey. IEEE Transactions on Pattern Analysis and Machine Intelligence 45, 5 (2023), 5782–5799.
  63. On Explainability of Graph Neural Networks via Subgraph Explorations. In Proceedings of the 38th International Conference on Machine Learning, ICML 2021, 18-24 July 2021, Virtual Event (Proceedings of Machine Learning Research, Vol. 139). PMLR, 12241–12252.
  64. Andreas Zeller. 2002. Isolating cause-effect chains from computer programs. In Proceedings of the 10th ACM SIGSOFT Symposium on Foundations of Software Engineering (Charleston, South Carolina, USA) (SIGSOFT ’02/FSE-10). Association for Computing Machinery, New York, NY, USA, 1–10.
  65. A. Zeller and R. Hildebrandt. 2002. Simplifying and isolating failure-inducing input. IEEE Transactions on Software Engineering 28, 2 (2002), 183–200.
  66. Devign: Effective Vulnerability Identification by Learning Comprehensive Program Semantics via Graph Neural Networks. In Proceedings of the Advances in Neural Information Processing Systems, Vol. 32. Curran Associates, Inc.
  67. mVulPreter: A Multi-Granularity Vulnerability Detection System With Interpretations. IEEE Transactions on Dependable and Secure Computing (2022), 1–12.
  68. Interpreting Deep Learning-Based Vulnerability Detector Predictions Based on Heuristic Searching. ACM Trans. Softw. Eng. Methodol. 30, 2, Article 23 (mar 2021), 31 pages.
Citations (3)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now