Interpreting Deep Learning-based Vulnerability Detector Predictions Based on Heuristic Searching

Published: 10 March 2021 Publication History


Detecting software vulnerabilities is an important problem and a recent development in tackling the problem is the use of deep learning models to detect software vulnerabilities. While effective, it is hard to explain why a deep learning model predicts a piece of code as vulnerable or not because of the black-box nature of deep learning models. Indeed, the interpretability of deep learning models is a daunting open problem. In this article, we make a significant step toward tackling the interpretability of deep learning model in vulnerability detection. Specifically, we introduce a high-fidelity explanation framework, which aims to identify a small number of tokens that make significant contributions to a detector’s prediction with respect to an example. Systematic experiments show that the framework indeed has a higher fidelity than existing methods, especially when features are not independent of each other (which often occurs in the real world). In particular, the framework can produce some vulnerability rules that can be understood by domain experts for accepting a detector’s outputs (i.e., true positives) or rejecting a detector’s outputs (i.e., false-positives and false-negatives). We also discuss limitations of the present study, which indicate interesting open problems for future research.


  A Systematic Literature Review on Automated Software Vulnerability Detection Using Machine LearningACM Computing Surveys10.1145/3699711Online publication date: 11-Oct-2024
  Graph Neural Networks for Vulnerability Detection: A Counterfactual ExplanationProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3652136(389-401)Online publication date: 11-Sep-2024
  Bridge and Hint: Extending Pre-trained Language Models for Long-Range CodeProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3652127(274-286)Online publication date: 11-Sep-2024
Index Terms

  1. Interpreting Deep Learning-based Vulnerability Detector Predictions Based on Heuristic Searching



    Information & Contributors


    Published In

    cover image ACM Transactions on Software Engineering and Methodology
    ACM Transactions on Software Engineering and Methodology  Volume 30, Issue 2
    Continuous Special Section: AI and SE
    April 2021
    463 pages
    • Editor:
    • Mauro Pezzè
    Issue’s Table of Contents
    Association for Computing Machinery

    New York, NY, United States

    Published: 10 March 2021

    Published: 10 March 2021
    Accepted: 01 October 2020
    Revised: 01 October 2020
    Received: 01 March 2020
    Published in TOSEM Volume 30, Issue 2


    Author Tags

    1. Explainable AI
    2. deep learning
    3. sensitivity analysis
    4. vulnerability detection


    Funding Sources

    • Natural Science Foundation of Hebei Province
    • Shenzhen Fundamental Research Program
    • National Natural Science Foundation of China
    • National Key Research and Development Plan of China
    • National Science Foundation


    • (2024)A Systematic Literature Review on Automated Software Vulnerability Detection Using Machine LearningACM Computing Surveys10.1145/3699711Online publication date: 11-Oct-2024
    • (2024)Graph Neural Networks for Vulnerability Detection: A Counterfactual ExplanationProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3652136(389-401)Online publication date: 11-Sep-2024
    • (2024)Bridge and Hint: Extending Pre-trained Language Models for Long-Range CodeProceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis10.1145/3650212.3652127(274-286)Online publication date: 11-Sep-2024
    • (2024)Beyond Fidelity: Explaining Vulnerability Localization of Learning-Based DetectorsACM Transactions on Software Engineering and Methodology10.1145/364154333:5(1-33)Online publication date: 4-Jun-2024
    • (2024)On the Effectiveness of Function-Level Vulnerability Detectors for Inter-Procedural VulnerabilitiesProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639218(1-12)Online publication date: 20-May-2024
    • (2024)Coca: Improving and Explaining Graph Neural Network-Based Vulnerability Detection SystemsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3639168(1-13)Online publication date: 20-May-2024
    • (2024)A Comprehensive Study of Learning-based Android Malware Detectors under Challenging EnvironmentsProceedings of the IEEE/ACM 46th International Conference on Software Engineering10.1145/3597503.3623320(1-13)Online publication date: 20-May-2024
    • (2024)ALANCA: Active Learning Guided Adversarial Attacks for Code Comprehension on Diverse Pre-trained and Large Language Models2024 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER)10.1109/SANER60148.2024.00067(602-613)Online publication date: 12-Mar-2024
    • (2024)Enhance Image-to-Image Generation with LLaVA-generated Prompts2024 5th International Conference on Information Science, Parallel and Distributed Systems (ISPDS)10.1109/ISPDS62779.2024.10667513(77-81)Online publication date: 31-May-2024
    • (2024)VulEXplaineR: XAI for Vulnerability Detection on Assembly CodeMachine Learning and Knowledge Discovery in Databases. Applied Data Science Track10.1007/978-3-031-70378-2_1(3-20)Online publication date: 8-Sep-2024
