ExplainVulD: Graph-based Vulnerability Detection
- ExplainVulD is a graph-based framework for detecting security vulnerabilities in C and C++ using integrated code property graphs and dual-channel node embeddings.
- It employs an edge-aware graph attention network with explicit edge-type encoding to enhance detection accuracy and provide localized explainability.
- Empirical evaluations show that ExplainVulD outperforms traditional static analysis tools and learning-based methods by efficiently addressing class imbalance.
ExplainVulD is a graph-based framework for detecting security vulnerabilities in C and C++ source code, emphasizing both high detection performance and explainability of model predictions. The approach synthesizes code property graph (CPG) representations, dual-channel node embeddings, and an edge-aware graph attention network (GATv2) with explicit edge-type encoding, while addressing the class imbalance prevalent in real-world vulnerability datasets. ExplainVulD outperforms prior learning-based and static analysis methods and produces per-node and per-edge attributions supporting human scrutiny during vulnerability triage (Haque et al., 22 Jul 2025).
1. Code Property Graph Construction
ExplainVulD processes a single function in C or C++ by constructing a CPG, which integrates abstract syntax trees (ASTs), control-flow graphs (CFGs), and data-flow graphs (DFGs). The unified graph consists of:
- Nodes : Program elements such as identifiers, literals, call expressions, return types, parameter types, and control statements (e.g.,
if,while,switch). - Directed, typed edges : Encapsulate relations covering syntactic structure, control flow, data flow, and dominance. Thirteen essential edge types are retained:
| Type Index | Edge Name | Relation | |------------|-------------------------|----------------------------------------| | 1 | controls | CFG control-flow | | 2 | declares | Declaration membership | | 3 | def | Definition to use | | 4 | dom | Dominance in CFG | | 5 | flows_to | Data-flow | | 6 | is_ast_parent | AST hierarchy | | 7 | is_class_of | Type membership | | 8 | is_file_of | File membership | | 9 | is_function_of_ast | AST parent (function) | | 10 | is_function_of_cfg | CFG sub-graph membership | | 11 | post_dom | Post-dominance | | 12 | reaches | Reachability | | 13 | use | Use-of definition |
Each edge is labeled by , and all other edge types are omitted. This design encodes both syntactic hierarchy (via is_ast_parent) and multilayered semantic relations.
2. Dual-Channel Node Embedding Scheme
Node representations in ExplainVulD are formed by concatenating semantic and structural embeddings, each of 512 dimensions, yielding a 1024-dimensional initial feature for each node .
- Semantic Token Embeddings: For every node, tokens—comprising node type and content (with numeric literals mapped to "NUM")—are embedded using a skip-gram Word2Vec model (vector size 512, window 5, epochs 80, negative sampling 15). The semantic embedding is the average of the corresponding token vectors:
where are the tokens for .
- Structural Context Embeddings: Metapath-guided random walks are generated for each node, with each step’s token formatted as
src_type:edge_type:tgt_type:direction:Δdepth:scope. Another Word2Vec model (vector size 512, window 5, epochs 120) is trained on these walk sequences, and the structural context embedding is:
where is the multiset of walk tokens encountering 0. The combined node feature is 1.
- Metapath-Guided Random Walks Pseudocode:
7
3. Edge-Aware Graph Attention Architecture
The framework utilizes an edge-augmented GATv2 network that explicitly incorporates edge-type information into the attention mechanism.
- Edge-Type Embeddings: A learnable matrix 2 maps each edge type index 3 to a 32-dimensional embedding 4.
- Modified GATv2 Layer: For layer 5, node 6's state 7 interacts with neighboring nodes and their connecting edge-types using:
- Raw attention energy:
8
where 9, 0 are learnable projections for queries and keys; 1 for edge embedding; 2 is the attention vector; 3 is LeakyReLU. - Attention coefficients:
4 - Message aggregation:
5
with 6 a learnable projection and 7 an activation function. - Residual connections: After two layers, 8 (aligned via linear projection if needed).
- Graph-Level Pooling and Prediction: Attention-based pooling computes weights 9, aggregates node states into a graph-level embedding 0, which is passed to a two-layer MLP classifier producing softmax probabilities 1.
4. Training Objective and Optimization
Class imbalance is mitigated using class-weighted cross-entropy loss. For each sample with true label 2 and model probabilities 3, class weights are defined as:
- 4
- 5
The per-sample loss function:
6
The batch objective averages over all 7 samples.
Optimization is performed using Adam (learning rate 8, weight decay 9, batch size 32), with learning-rate annealing based on F1 stagnation and early stopping (patience 6 epochs). Dropout is applied to the MLP hidden layer. Training uses a Tesla T4 GPU and the PyTorch/PyG framework.
5. Detection Performance and Comparative Evaluation
ExplainVulD is evaluated on the ReVeal dataset using 30 independent 80/10/10 splits. Comparative results demonstrate performance gains over both static and learning-based baselines:
| Method | Accuracy (±std) | Precision (±std) | Recall (±std) | F1 Score (±std) |
|---|---|---|---|---|
| Cppcheck | 77.34 (8.00) | 18.76 (3.87) | 24.04 (7.28) | 20.76 (4.60) |
| Flawfinder | 79.56 (2.27) | 18.71 (7.01) | 18.44 (8.85) | 16.01 (3.65) |
| ReVeal | 84.37 (1.73) | 30.91 (2.76) | 60.91 (7.89) | 41.25 (2.28) |
| ExplainVulD | 88.25 (0.84) | 38.16 (2.35) | 66.09 (7.33) | 48.23 (3.09) |
Relative improvements for ExplainVulD over ReVeal are +4.6% in accuracy and +16.9% in F1, while the gains over Cppcheck (static tool) are +14.1% accuracy and +132.2% F1, and over Flawfinder are +11.0% accuracy and +201.2% F1.
6. Explainability and Attribution Mechanisms
ExplainVulD generates localized, interpretable explanations for its vulnerability predictions by combining gradient-based and attention-based attribution for nodes and edges:
- Node Attribution:
- Gradient component:
0
where 1 is the predicted class. - Attention component: The attention-pooling weight 2. - Final node score:
3
- Edge Attribution:
- Gradient component:
4 - Embedding-norm proxy:
5 - Final edge score:
6
The explanation workflow involves a forward pass to obtain outputs and attention weights, backpropagation for gradients, computation of attribution scores, and mapping the most relevant nodes and edges back to source code regions for highlighting. This mechanism provides transparency on which code regions primarily influence the vulnerability decision.
7. Significance and Distinguishing Features
ExplainVulD realizes several architectural and methodological advances for vulnerability detection in source code:
- Integration of both syntactic and semantic relations via the CPG abstraction.
- Dual-channel embedding capturing both token-level semantics and structural context.
- Edge-aware graph attention supporting relation-sensitive message propagation.
- Explicit handling of severe class imbalance through class-weighted loss.
- Empirical superiority over both learning-based (ReVeal) and traditional static analysis tools.
- Node- and edge-level explanation facility, enhancing trust and usability in security triage.
A plausible implication is that ExplainVulD’s combination of detection performance and model transparency facilitates its adoption in practical security engineering and vulnerability triage workflows, addressing core deficiencies of black-box learning-based static analyzers (Haque et al., 22 Jul 2025).