Papers
Topics
Authors
Recent
Search
2000 character limit reached

ExplainVulD: Graph-based Vulnerability Detection

Updated 28 June 2026
  • ExplainVulD is a graph-based framework for detecting security vulnerabilities in C and C++ using integrated code property graphs and dual-channel node embeddings.
  • It employs an edge-aware graph attention network with explicit edge-type encoding to enhance detection accuracy and provide localized explainability.
  • Empirical evaluations show that ExplainVulD outperforms traditional static analysis tools and learning-based methods by efficiently addressing class imbalance.

ExplainVulD is a graph-based framework for detecting security vulnerabilities in C and C++ source code, emphasizing both high detection performance and explainability of model predictions. The approach synthesizes code property graph (CPG) representations, dual-channel node embeddings, and an edge-aware graph attention network (GATv2) with explicit edge-type encoding, while addressing the class imbalance prevalent in real-world vulnerability datasets. ExplainVulD outperforms prior learning-based and static analysis methods and produces per-node and per-edge attributions supporting human scrutiny during vulnerability triage (Haque et al., 22 Jul 2025).

1. Code Property Graph Construction

ExplainVulD processes a single function in C or C++ by constructing a CPG, which integrates abstract syntax trees (ASTs), control-flow graphs (CFGs), and data-flow graphs (DFGs). The unified graph G=(V,E,T)G=(V,E,T) consists of:

  • Nodes VV: Program elements such as identifiers, literals, call expressions, return types, parameter types, and control statements (e.g., if, while, switch).
  • Directed, typed edges EE: Encapsulate relations covering syntactic structure, control flow, data flow, and dominance. Thirteen essential edge types are retained:

| Type Index | Edge Name | Relation | |------------|-------------------------|----------------------------------------| | 1 | controls | CFG control-flow | | 2 | declares | Declaration membership | | 3 | def | Definition to use | | 4 | dom | Dominance in CFG | | 5 | flows_to | Data-flow | | 6 | is_ast_parent | AST hierarchy | | 7 | is_class_of | Type membership | | 8 | is_file_of | File membership | | 9 | is_function_of_ast | AST parent (function) | | 10 | is_function_of_cfg | CFG sub-graph membership | | 11 | post_dom | Post-dominance | | 12 | reaches | Reachability | | 13 | use | Use-of definition |

Each edge is labeled by tij{1,,13}t_{ij}\in\{1,\dots,13\}, and all other edge types are omitted. This design encodes both syntactic hierarchy (via is_ast_parent) and multilayered semantic relations.

2. Dual-Channel Node Embedding Scheme

Node representations in ExplainVulD are formed by concatenating semantic and structural embeddings, each of 512 dimensions, yielding a 1024-dimensional initial feature for each node viv_i.

  • Semantic Token Embeddings: For every node, tokens—comprising node type and content (with numeric literals mapped to "NUM")—are embedded using a skip-gram Word2Vec model (vector size 512, window 5, epochs 80, negative sampling 15). The semantic embedding is the average of the corresponding token vectors:

hisem=1mτTiw(τ)h_i^{sem} = \frac{1}{m} \sum_{\tau \in T_i} w(\tau)

where TiT_i are the tokens for viv_i.

  • Structural Context Embeddings: Metapath-guided random walks are generated for each node, with each step’s token formatted as src_type:edge_type:tgt_type:direction:Δdepth:scope. Another Word2Vec model (vector size 512, window 5, epochs 120) is trained on these walk sequences, and the structural context embedding is:

histr=1WiτWiw(τ)h_i^{str} = \frac{1}{|W_i|} \sum_{\tau \in W_i} w(\tau)

where WiW_i is the multiset of walk tokens encountering VV0. The combined node feature is VV1.

  • Metapath-Guided Random Walks Pseudocode:

viv_i7

3. Edge-Aware Graph Attention Architecture

The framework utilizes an edge-augmented GATv2 network that explicitly incorporates edge-type information into the attention mechanism.

  • Edge-Type Embeddings: A learnable matrix VV2 maps each edge type index VV3 to a 32-dimensional embedding VV4.
  • Modified GATv2 Layer: For layer VV5, node VV6's state VV7 interacts with neighboring nodes and their connecting edge-types using:

    • Raw attention energy:

    VV8

    where VV9, EE0 are learnable projections for queries and keys; EE1 for edge embedding; EE2 is the attention vector; EE3 is LeakyReLU. - Attention coefficients:

    EE4 - Message aggregation:

    EE5

    with EE6 a learnable projection and EE7 an activation function. - Residual connections: After two layers, EE8 (aligned via linear projection if needed).

  • Graph-Level Pooling and Prediction: Attention-based pooling computes weights EE9, aggregates node states into a graph-level embedding tij{1,,13}t_{ij}\in\{1,\dots,13\}0, which is passed to a two-layer MLP classifier producing softmax probabilities tij{1,,13}t_{ij}\in\{1,\dots,13\}1.

4. Training Objective and Optimization

Class imbalance is mitigated using class-weighted cross-entropy loss. For each sample with true label tij{1,,13}t_{ij}\in\{1,\dots,13\}2 and model probabilities tij{1,,13}t_{ij}\in\{1,\dots,13\}3, class weights are defined as:

  • tij{1,,13}t_{ij}\in\{1,\dots,13\}4
  • tij{1,,13}t_{ij}\in\{1,\dots,13\}5

The per-sample loss function:

tij{1,,13}t_{ij}\in\{1,\dots,13\}6

The batch objective averages over all tij{1,,13}t_{ij}\in\{1,\dots,13\}7 samples.

Optimization is performed using Adam (learning rate tij{1,,13}t_{ij}\in\{1,\dots,13\}8, weight decay tij{1,,13}t_{ij}\in\{1,\dots,13\}9, batch size 32), with learning-rate annealing based on F1 stagnation and early stopping (patience 6 epochs). Dropout is applied to the MLP hidden layer. Training uses a Tesla T4 GPU and the PyTorch/PyG framework.

5. Detection Performance and Comparative Evaluation

ExplainVulD is evaluated on the ReVeal dataset using 30 independent 80/10/10 splits. Comparative results demonstrate performance gains over both static and learning-based baselines:

Method Accuracy (±std) Precision (±std) Recall (±std) F1 Score (±std)
Cppcheck 77.34 (8.00) 18.76 (3.87) 24.04 (7.28) 20.76 (4.60)
Flawfinder 79.56 (2.27) 18.71 (7.01) 18.44 (8.85) 16.01 (3.65)
ReVeal 84.37 (1.73) 30.91 (2.76) 60.91 (7.89) 41.25 (2.28)
ExplainVulD 88.25 (0.84) 38.16 (2.35) 66.09 (7.33) 48.23 (3.09)

Relative improvements for ExplainVulD over ReVeal are +4.6% in accuracy and +16.9% in F1, while the gains over Cppcheck (static tool) are +14.1% accuracy and +132.2% F1, and over Flawfinder are +11.0% accuracy and +201.2% F1.

6. Explainability and Attribution Mechanisms

ExplainVulD generates localized, interpretable explanations for its vulnerability predictions by combining gradient-based and attention-based attribution for nodes and edges:

  • Node Attribution:

    • Gradient component:

    viv_i0

    where viv_i1 is the predicted class. - Attention component: The attention-pooling weight viv_i2. - Final node score:

    viv_i3

  • Edge Attribution:

    • Gradient component:

    viv_i4 - Embedding-norm proxy:

    viv_i5 - Final edge score:

    viv_i6

The explanation workflow involves a forward pass to obtain outputs and attention weights, backpropagation for gradients, computation of attribution scores, and mapping the most relevant nodes and edges back to source code regions for highlighting. This mechanism provides transparency on which code regions primarily influence the vulnerability decision.

7. Significance and Distinguishing Features

ExplainVulD realizes several architectural and methodological advances for vulnerability detection in source code:

  • Integration of both syntactic and semantic relations via the CPG abstraction.
  • Dual-channel embedding capturing both token-level semantics and structural context.
  • Edge-aware graph attention supporting relation-sensitive message propagation.
  • Explicit handling of severe class imbalance through class-weighted loss.
  • Empirical superiority over both learning-based (ReVeal) and traditional static analysis tools.
  • Node- and edge-level explanation facility, enhancing trust and usability in security triage.

A plausible implication is that ExplainVulD’s combination of detection performance and model transparency facilitates its adoption in practical security engineering and vulnerability triage workflows, addressing core deficiencies of black-box learning-based static analyzers (Haque et al., 22 Jul 2025).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to ExplainVulD Framework.