Coca: Improving and explaining graph neural network-based vulnerability detection systems

Author

Sicong CAO
Xiaobing SUN
Xiaoxue WU
David LO, Singapore Management UniversityFollow
Lili BO
Bin LI
Wei LIU

Publication Type

Conference Proceeding Article

Version

acceptedVersion

Publication Date

4-2024

Abstract

Recently, Graph Neural Network (GNN)-based vulnerability detection systems have achieved remarkable success. However, the lack of explainability poses a critical challenge to deploy black-box models in security-related domains. For this reason, several approaches have been proposed to explain the decision logic of the detection model by providing a set of crucial statements positively contributing to its predictions. Unfortunately, due to the weakly-robust detection models and suboptimal explanation strategy, they have the danger of revealing spurious correlations and redundancy issue.In this paper, we propose Coca, a general framework aiming to 1) enhance the robustness of existing GNN-based vulnerability detection models to avoid spurious explanations; and 2) provide both concise and effective explanations to reason about the detected vulnerabilities. Coca consists of two core parts referred to as Trainer and Explainer. The former aims to train a detection model which is robust to random perturbation based on combinatorial contrastive learning, while the latter builds an explainer to derive crucial code statements that are most decisive to the detected vulnerability via dual-view causal inference as explanations. We apply Coca over three typical GNN-based vulnerability detectors. Experimental results show that Coca can effectively mitigate the spurious correlation issue, and provide more useful high-quality explanations.

Keywords

Contrastive Learning, Causal Inference, Explainability

Discipline

Graphics and Human Computer Interfaces | OS and Networks | Software Engineering

Research Areas

Software and Cyber-Physical Systems

Publication

ICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, Lisbon, Portugal, April 14-20

First Page

1

Last Page

13

ISBN

9798400702174

Identifier

10.1145/3597503.3639168

Publisher

ACM

City or Country

New York

Citation

CAO, Sicong; SUN, Xiaobing; WU, Xiaoxue; LO, David; BO, Lili; LI, Bin; and LIU, Wei. Coca: Improving and explaining graph neural network-based vulnerability detection systems. (2024). ICSE '24: Proceedings of the IEEE/ACM 46th International Conference on Software Engineering, Lisbon, Portugal, April 14-20. 1-13.
Available at: https://ink.library.smu.edu.sg/sis_research/9250

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.

Additional URL

https://doi.org/10.1145/3597503.3639168