Graph Neural Networks for Vulnerability Detection: A Counterfactual Explanation

Chu, Z; Wan, Y; Li, Q; Wu, Y; Zhang, H; Sui, Y; Xu, G; Jin, H

Graph Neural Networks for Vulnerability Detection: A Counterfactual Explanation

Chu, Z Wan, Y Li, Q Wu, Y Zhang, H Sui, Y

Xu, G

Jin, H

Permalink

Publisher:: Association for Computing Machinery (ACM)
Publication Type:: Conference Proceeding
Citation:: ISSTA 2024 - Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis, 2024, pp. 389-401
Issue Date:: 2024-09-11

Closed Access

	Filename	Description	Size
	Graph Neural Networks.pdf	Accepted version	1.54 MB		View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Chu, Z
dc.contributor.author	Wan, Y
dc.contributor.author	Li, Q
dc.contributor.author	Wu, Y
dc.contributor.author	Zhang, H
dc.contributor.author	Sui, Y https://orcid.org/0000-0002-9510-6574
dc.contributor.author	Xu, G https://orcid.org/0000-0003-4493-6663
dc.contributor.author	Jin, H
dc.date.accessioned	2025-01-17T04:31:33Z
dc.date.available	2025-01-17T04:31:33Z
dc.date.issued	2024-09-11
dc.identifier.citation	ISSTA 2024 - Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis, 2024, pp. 389-401
dc.identifier.uri	http://hdl.handle.net/10453/183805
dc.description.abstract	Vulnerability detection is crucial for ensuring the security and reliability of software systems. Recently, Graph Neural Networks (GNNs) have emerged as a prominent code embedding approach for vulnerability detection, owing to their ability to capture the underlying semantic structure of source code. However, GNNs face significant challenges in explainability due to their inherently black-box nature. To this end, several factual reasoning-based explainers have been proposed. These explainers provide explanations for the predictions made by GNNs by analyzing the key features that contribute to the outcomes. We argue that these factual reasoning-based explanations cannot answer critical what-if questions: "What would happen to the GNN's decision if we were to alter the code graph into alternative structures?"Inspired by advancements of counterfactual reasoning in artificial intelligence, we propose CFExplainer, a novel counterfactual explainer for GNN-based vulnerability detection. Unlike factual reasoning-based explainers, CFExplainer seeks the minimal perturbation to the input code graph that leads to a change in the prediction, thereby addressing the what-if questions for vulnerability detection. We term this perturbation a counterfactual explanation, which can pinpoint the root causes of the detected vulnerability and furnish valuable insights for developers to undertake appropriate actions for fixing the vulnerability. Extensive experiments on four GNN-based vulnerability detection models demonstrate the effectiveness of CFExplainer over existing state-of-the-art factual reasoning-based explainers.
dc.language	en
dc.publisher	Association for Computing Machinery (ACM)
dc.relation.ispartof	ISSTA 2024 - Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis
dc.relation.ispartof	Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis
dc.relation.isbasedon	10.1145/3650212.3652136
dc.rights	info:eu-repo/semantics/closedAccess
dc.title	Graph Neural Networks for Vulnerability Detection: A Counterfactual Explanation
dc.type	Conference Proceeding
pubs.organisational-group	University of Technology Sydney
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology
pubs.organisational-group	University of Technology Sydney/Faculty of Engineering and Information Technology/School of Computer Science
pubs.organisational-group	University of Technology Sydney/UTS Groups
pubs.organisational-group	University of Technology Sydney/UTS Groups/Australian Artificial Intelligence Institute (AAII)
pubs.organisational-group	University of Technology Sydney/UTS Groups/Centre for Advanced Manufacturing (CAM)
pubs.organisational-group	University of Technology Sydney/UTS Groups/Centre for Cyber Security and Privacy (CCSP)
pubs.organisational-group	University of Technology Sydney/UTS Groups/Centre for Advanced Manufacturing (CAM)/Centre for Advanced Manufacturing (CAM) Associate Members
utslib.copyright.status	closed_access	*
dc.date.updated	2025-01-17T04:31:31Z
pubs.publication-status	Published

Abstract:

Vulnerability detection is crucial for ensuring the security and reliability of software systems. Recently, Graph Neural Networks (GNNs) have emerged as a prominent code embedding approach for vulnerability detection, owing to their ability to capture the underlying semantic structure of source code. However, GNNs face significant challenges in explainability due to their inherently black-box nature. To this end, several factual reasoning-based explainers have been proposed. These explainers provide explanations for the predictions made by GNNs by analyzing the key features that contribute to the outcomes. We argue that these factual reasoning-based explanations cannot answer critical what-if questions: "What would happen to the GNN's decision if we were to alter the code graph into alternative structures?"Inspired by advancements of counterfactual reasoning in artificial intelligence, we propose CFExplainer, a novel counterfactual explainer for GNN-based vulnerability detection. Unlike factual reasoning-based explainers, CFExplainer seeks the minimal perturbation to the input code graph that leads to a change in the prediction, thereby addressing the what-if questions for vulnerability detection. We term this perturbation a counterfactual explanation, which can pinpoint the root causes of the detected vulnerability and furnish valuable insights for developers to undertake appropriate actions for fixing the vulnerability. Extensive experiments on four GNN-based vulnerability detection models demonstrate the effectiveness of CFExplainer over existing state-of-the-art factual reasoning-based explainers.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/183805