VulDIAC: Vulnerability detection and interpretation based on augmented CFG and causal attention learning

Abstract

Vulnerability detection in software source code is essential for ensuring system security. Recently, deep learning methods have gained significant attention in this domain, leveraging structured information extracted from source code, and employing Graph Neural Networks (GNNs) to enhance detection performance through graph representation learning. However, conventional code graph structures exhibit limitations in capturing the comprehensive semantics of source code, and the presence of spurious features may result in incorrect correlations, which undermines the robustness and explainability of vulnerability detection models. In this paper, we propose VulDIAC, a novel framework for Vulnerability Detection and Interpretation that integrates an Augmented Control Flow Graph (ACFG) and a multi-task Causal attention learning module based on Relational Graph Convolutional Networks, referred to as RGCN-CAL. The ACFG incorporates additional relational edges, such as reaching-define and dominator relationships, to better capture the control flow logic and data flow information within the code. The RGCN-CAL module emphasizes causal features while learning multi-relational graph representations. This approach enhances detection accuracy and provides fine-grained, line-level explanations. Experimental evaluations on two public datasets demonstrate that VulDIAC significantly outperforms baseline methods, achieving F1-Score improvements of 27.16% and 53.59%, respectively. Additionally, VulDIAC achieves better Top-k accuracy compared to LineVul on line-level vulnerability detection, which suggests its competitive performance and potential interpretability benefits.