ExplainVulD: Graph-Based Vulnerability Detection

• ExplainVulD is a graph-based framework for explainable vulnerability detection in C/C++ that integrates Code Property Graphs with dual-channel node embeddings.
• It employs an edge-aware graph attention mechanism and class-weighted loss to counter class imbalance, achieving notable improvements in accuracy and F1 score.
• The framework incorporates post hoc explanation modules that highlight influential code regions, enhancing transparency and actionable trust in vulnerability triage.

ExplainVulD is a graph-based framework for explainable vulnerability detection in C/C++ source code, designed to address the dual challenges of class imbalance and lack of interpretability in security triage. It leverages Code Property Graphs (CPGs), dual-channel node embeddings, and edge-aware graph attention networks with explicit modeling of program relation types. The architecture is trained with class-weighted cross-entropy loss to counter reporting bias induced by minority-class vulnerabilities, and incorporates post hoc explanation mechanisms that reveal the most influential code regions for given predictions. Empirically, ExplainVulD demonstrates significant improvements over prior learning-based and static analysis baselines in terms of both detection performance and actionable transparency (Haque et al., 22 Jul 2025).

1. Motivation and Problem Scope

Vulnerability detection in C/C++ is characterized by two core obstacles: (1) class imbalance—realistic codebases exhibit only 6–20% vulnerable functions, which induces a majority-class bias and suppresses true positive rates for actual vulnerabilities; (2) the lack of model explainability—commonly used GNN or sequence-based approaches may yield high recall but provide no granularity as to which structural or semantic program elements contribute to a "vulnerable" prediction, directly limiting adoption in security-critical contexts. ExplainVulD explicitly targets these concerns by integrating a class-weighted loss during training and a post hoc explanation module that identifies influential nodes and edges in a function's CPG (Haque et al., 22 Jul 2025).

2. Code Property Graph Construction and Representation

ExplainVulD operates on Code Property Graphs G = (V, E, T), constructed using the Joern framework:

• Nodes (V): Represent program entities, including identifiers, literals, expressions, and control flow statements.
• Edges (E): Encode three primary relation types:
  • AST structure via "IS_AST_PARENT" (abstract syntax hierarchy),
  • Control flow relations (controls, post_dom, reaches),
  • Data flow relations (def, use, flows_to).
• Edge Types (T): Each edge (u, v) is annotated with a discrete type $t_{uv} \in \{1, \ldots, 13\}$ corresponding to labeled relations (e.g., "def", "flows_to", "controls"). Non-essential or redundant edges are pruned for robustness (Haque et al., 22 Jul 2025).

The resulting CPG encodes both syntactic hierarchy and semantic dependencies, modeling both explicit and non-obvious propagation of data or control signals over the codebase.

3. Dual-Channel Node Embedding Paradigm

Each node $v \in V$ is represented using a 1024-dimensional embedding $h_v$ that combines lexical and structural signals:

• Semantic Channel: AST-derived node labels (type and filtered content tokens) are used to train a skip-gram Word2Vec model (dimension 512). The semantic embedding, $h_v^{sem}$, is computed as the mean of individual token embeddings.
• Structural Channel: Metapath-guided random walks (length 20, 10 walks per node) are performed over the CPG. Each step captures a tuple of (src_type, edge_type, tgt_type, direction, Δdepth, scope), and a separate Word2Vec (dimension 512) is trained on these walk-derived sequences. The structural embedding, $h_v^{str}$, is the mean over walk token vectors.
• Concatenation: The final node embedding is $$h_v = [h_v^{sem} \| h_v^{str}] \in \mathbb{R}^{1024}$$ (Haque et al., 22 Jul 2025).

This design enables ExplainVulD to simultaneously capture both token-level semantics and context-sensitive structural motifs, a configuration not present in previous CPG-based methods.

4. Edge-Aware Graph Attention Mechanism

ExplainVulD augments GATv2 with edge-type embeddings to exploit the typed-relational nature of program graphs:

• Edge-Type Embedding: Trainable vectors $e_t \in \mathbb{R}^{32}$ are associated with each discrete edge type $t$.
• Attention Score Computation: Attention between nodes $u$ and $v$ at layer $l$ is calculated as:

$$e_{uv}^{(l)} = a^\top \mathrm{LeakyReLU}(W_q h_u^{(l)} \| W_k h_v^{(l)} \| W_e e_{uv})$$

followed by softmax normalization over neighborhood $N(u)$ to obtain $\alpha_{uv}^{(l)}$.

• Message Aggregation: Node state updating:

$$h_u^{(l+1)} = \sigma\left(\sum_{v \in N(u)} \alpha_{uv}^{(l)} W_v h_v^{(l)}\right)$$

with appropriate nonlinearity and learnable projection. A two-layer stack with residual connections captures up to second-order neighborhood features.

• Graph Embedding: Global attention pooling produces the graph-level representation $z$ for downstream classification (Haque et al., 22 Jul 2025).

By explicitly encoding all 13 programmatic relation types, the edge-aware attention mechanism provides explainability and disentanglement of different code dependencies.

5. Training Regime and Evaluation Strategy

To address class imbalance, ExplainVulD employs a class-weighted cross-entropy loss:

$$\mathcal{L} = -\sum_{i=1}^N w_{y_i}\log p(y_i|G_i;\theta)$$

where $w_0 = 1.0$ and $w_1 = \frac{N_0 + N_1}{2 N_1}$, with $N_0, N_1$ denoting the number of safe and vulnerable instances, respectively.

• Dataset: ReVeal, comprising Chrome and Debian C/C++ functions, with 8.32% labeled as vulnerable and CPGs restricted to ≤500 nodes.
• Experimental Protocol: 30 runs using independent 80/10/10 train/validation/test splits, with performance reported as mean ± standard deviation across runs.
• Metrics: Accuracy, Precision, Recall, F1, and AUC.
• Key Results:
  • Accuracy: $88.25\% \pm 0.84\%$
  • F1: $48.23\% \pm 3.09\%$
  • AUC: $87.64\% \pm 2.00\%$
  • Relative to ReVeal: +4.6% accuracy, +16.9% F1
  • Against static analyzers (Flawfinder, Cppcheck): +14% accuracy, +132–201% F1 (Haque et al., 22 Jul 2025).

6. Post Hoc Explainability and Developer Interpretation

After inference, ExplainVulD quantifies the influence of nodes and edges on the classification outcome:

• Node Relevance: Combines global pooling attention weight ($\alpha_i$) with gradient-based relevance (norm of $\nabla_{x_i} \hat y_c$ for predicted class $c$):

$$r_i = \frac{1}{2}\left( \|\nabla_{x_i} \hat y_c\|_2 + \alpha_i \right)$$

• Edge Relevance: Aggregates gradient with respect to edge embedding and its norm:

$$s_{ij} = \frac{1}{2}\left( \|\nabla_{e_{ij}} \hat y_c\|_2 + \|e_{ij}\|_2 \right)$$

• Visualization: Top-k scoring nodes and edges are mapped back to the original code, yielding a highlighted subgraph that elucidates the rationale for a given vulnerability verdict (Haque et al., 22 Jul 2025).

This mechanism directly supports transparency and developer trust by localizing critical code regions responsible for vulnerability predictions. Attention and gradient signals are integrated to provide robust, actionable explanations beyond raw prediction scores.

7. Contributions, Limitations, and Research Outlook

ExplainVulD introduces several methodological advances:

• The first dual-channel embedding scheme for CPGs that fuses token-level lexical and metapath-derived structural features.
• Edge-aware GATv2 specifying 13 program relation types, enabling fine-grained graph reasoning.
• Post hoc explanation module combining attention and gradient evidence for precise localization of vulnerability evidence within code.
• Substantial empirical improvements against both learned (ReVeal) and static (Flawfinder, Cppcheck) detection baselines in settings reflective of real-world class imbalance.

Limitations include potential generalization gaps beyond Chrome/Debian codebases and the absence of dynamic analysis (such as heap state or runtime traces). Plausible directions for future work include cross-project evaluation, multiclass vulnerability labeling (e.g., buffer overflow vs. use-after-free), and efficiency improvements for deployment in resource-constrained environments (Haque et al., 22 Jul 2025).