Beyond Fidelity: Explaining Vulnerability Localization of Learning-based Detectors

TL;DR

This paper tackles the problem of precisely localizing vulnerability-causing code within DL-based detectors by evaluating a broad set of graph- and sequence-based explanation techniques. It introduces two primary evaluation metrics, Fidelity and Vulnerability Line Coverage (TLC and FLC), along with a new detector-focused metric, VUR, to expose weaknesses not captured by fidelity alone. Experiments on SARD and FanData reveal that high fidelity does not reliably translate to vulnerability-relevant explanations, and detectors often rely on vulnerability-irrelevant artifacts or perturbations that can flip predictions. The findings challenge the effectiveness of current explainers for vulnerability localization and suggest reframing vulnerability detection as a set of subtasks, potentially leveraging large language models and static analysis to better capture vulnerability semantics and improve reliability.

Abstract

Vulnerability detectors based on deep learning (DL) models have proven their effectiveness in recent years. However, the shroud of opacity surrounding the decision-making process of these detectors makes it difficult for security analysts to comprehend. To address this, various explanation approaches have been proposed to explain the predictions by highlighting important features, which have been demonstrated effective in other domains such as computer vision and natural language processing. Unfortunately, an in-depth evaluation of vulnerability-critical features, such as fine-grained vulnerability-related code lines, learned and understood by these explanation approaches remains lacking. In this study, we first evaluate the performance of ten explanation approaches for vulnerability detectors based on graph and sequence representations, measured by two quantitative metrics including fidelity and vulnerability line coverage rate. Our results show that fidelity alone is not sufficient for evaluating these approaches, as fidelity incurs significant fluctuations across different datasets and detectors. We subsequently check the precision of the vulnerability-related code lines reported by the explanation approaches, and find poor accuracy in this task among all of them. This can be attributed to the inefficiency of explainers in selecting important features and the presence of irrelevant artifacts learned by DL-based detectors.

Figures (16)

• Figure 1: An illustrative example featured by CVE-2017-12898 and CVE-2018-16842. In CVE-2017-12898, a modification in line 13 can be observed after patching, and in CVE-2018-16842, line 26 can be seen to be modified. The detector Reveal successfully identifies these two vulnerable functions. However, when employing five graph-based explainers to ascertain root causes, none of them highlight statement 13 in CVE-2017-12898 or statement 26 in CVE-2018-16842 in connection to the vulnerability.
• Figure 2: Evaluation framework.
• Figure 3: Illustration of a vulnerable code fragment and its corresponding fixed version with VTS and VFS labelled.
• Figure 4: An example of a controversial code fragment.
• Figure 5: Detection performance of seven DL-based detectors in different datasets.