Graph Neural Networks for Vulnerability Detection: A Counterfactual Explanation
Vulnerability detection is crucial for ensuring the security and reliability of software systems. Recently, Graph Neural Networks (GNNs) have emerged as a prominent code embedding approach for vulnerability detection, owing to their ability to capture the underlying semantic structure of source code. However, GNNs face significant challenges in explainability due to their inherently black-box nature. To this end, several factual reasoning-based explainers have been proposed. These explainers provide explanations for the predictions made by GNNs by analyzing the key features that contribute to the outcomes. We argue that these factual reasoning-based explanations cannot answer critical what-if questions: "What would happen to the GNN's decision if we were to alter the code graph into alternative structures?" Inspired by advancements of counterfactual reasoning in artificial intelligence, we propose CFExplainer, a novel counterfactual explainer for GNN-based vulnerability detection. Unlike factual reasoning-based explainers, CFExplainer seeks the minimal perturbation to the input code graph that leads to a change in the prediction, thereby addressing the what-if questions for vulnerability detection. We term this perturbation a counterfactual explanation, which can pinpoint the root causes of the detected vulnerability and furnish valuable insights for developers to undertake appropriate actions for fixing the vulnerability. Extensive experiments on four GNN-based vulnerability detection models demonstrate the effectiveness of CFExplainer over existing state-of-the-art factual reasoning-based explainers.
Wed 18 SepDisplayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change
13:30 - 14:50 | Vulnerability DetectionTechnical Papers at EI 3 Sahulka Chair(s): Cuiyun Gao Harbin Institute of Technology | ||
13:30 20mTalk | Automated Data Binding Vulnerability Detection for Java Web Frameworks via Nested Property Graph Technical Papers Xiaoyong Yan Zhejiang University, Biao He Ant Group, Wenbo Shen Zhejiang University, Yu Ouyang Ant Group, Kaihang Zhou Zhejiang University, Xingjian Zhang Zhejiang University, Xingyu Wang Zhejiang University, Yukai Cao Zhejiang University, Rui Chang Zhejiang University DOI | ||
13:50 20mTalk | SCALE: Constructing Structured Natural Language Comment Trees for Software Vulnerability Detection Technical Papers Xin-Cheng Wen Harbin Institute of Technology, Cuiyun Gao Harbin Institute of Technology, Shuzheng Gao Chinese University of Hong Kong, Yang Xiao Chinese Academy of Sciences, Michael Lyu Chinese University of Hong Kong DOI | ||
14:10 20mTalk | CEBin: A Cost-Effective Framework for Large-Scale Binary Code Similarity Detection Technical Papers Hao Wang Tsinghua University, Zeyu Gao Tsinghua University, Chao Zhang Tsinghua University, Mingyang Sun University of Electronic Science and Technology of China, Yuchen Zhou Beijing University of Technology, Han Qiu Tsinghua University, Xi Xiao Tsinghua University DOI | ||
14:30 20mTalk | Graph Neural Networks for Vulnerability Detection: A Counterfactual Explanation Technical Papers Zhaoyang Chu Huazhong University of Science and Technology, Yao Wan Huazhong University of Science and Technology, Qian Li Curtin University, Yang Wu Huazhong University of Science and Technology, Hongyu Zhang Chongqing University, Yulei Sui UNSW, Guandong Xu University of Technology, Hai Jin Huazhong University of Science and Technology DOI Pre-print | ||