VDExplainer：漏洞检测的顺序决策和概率抽样指导语句级解释

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-09-25 DOI:10.1016/j.cose.2025.104670

Weining Zheng, Xiaohong Su, Yuan Jiang, Hongwei Wei, Wenxin Tao

{"title":"VDExplainer：漏洞检测的顺序决策和概率抽样指导语句级解释","authors":"Weining Zheng, Xiaohong Su, Yuan Jiang, Hongwei Wei, Wenxin Tao","doi":"10.1016/j.cose.2025.104670","DOIUrl":null,"url":null,"abstract":"<div><div>Most existing deep learning (DL) based vulnerability detection methods, including pre-trained models, are coarse-grained binary classification methods that lack the interpretability for detection results. Although the explanation of deep learning has received significant attention, there is little research on the explanation of pre-trained model-based vulnerability detection methods. Therefore, we focus on providing statement-level interpretability for these vulnerability detection models to help developers understand the vulnerabilities. More specifically, given a vulnerable code detected by the model, our task is to find the set of vulnerability-related statements that lead to the prediction. Inspired by the manual code review process, this paper proposes a framework for explaining vulnerability detection called VDExplainer. VDExplainer includes an explorer that uses sequential decision-making and probability sampling to find the combination of vulnerability-related statements and a navigator that helps reduce the search space by learning the vulnerability patterns. It is worth noting that the navigator is trained in advance and then integrated with the explorer, further enhancing the efficiency and effectiveness of VDExplainer. Extensive experiments on the semi-synthetic dataset and the widely used real-world project dataset show that VDExplainer achieves superior performance, outperforming current state-of-the-art methods.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"159 ","pages":"Article 104670"},"PeriodicalIF":5.4000,"publicationDate":"2025-09-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"VDExplainer: Sequential decision-making and probability sampling guided statement-level explanation for vulnerability detection\",\"authors\":\"Weining Zheng, Xiaohong Su, Yuan Jiang, Hongwei Wei, Wenxin Tao\",\"doi\":\"10.1016/j.cose.2025.104670\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Most existing deep learning (DL) based vulnerability detection methods, including pre-trained models, are coarse-grained binary classification methods that lack the interpretability for detection results. Although the explanation of deep learning has received significant attention, there is little research on the explanation of pre-trained model-based vulnerability detection methods. Therefore, we focus on providing statement-level interpretability for these vulnerability detection models to help developers understand the vulnerabilities. More specifically, given a vulnerable code detected by the model, our task is to find the set of vulnerability-related statements that lead to the prediction. Inspired by the manual code review process, this paper proposes a framework for explaining vulnerability detection called VDExplainer. VDExplainer includes an explorer that uses sequential decision-making and probability sampling to find the combination of vulnerability-related statements and a navigator that helps reduce the search space by learning the vulnerability patterns. It is worth noting that the navigator is trained in advance and then integrated with the explorer, further enhancing the efficiency and effectiveness of VDExplainer. Extensive experiments on the semi-synthetic dataset and the widely used real-world project dataset show that VDExplainer achieves superior performance, outperforming current state-of-the-art methods.</div></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":\"159 \",\"pages\":\"Article 104670\"},\"PeriodicalIF\":5.4000,\"publicationDate\":\"2025-09-25\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404825003591\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825003591","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

大多数现有的基于深度学习（DL）的漏洞检测方法，包括预训练模型，都是粗粒度的二元分类方法，缺乏检测结果的可解释性。尽管对深度学习的解释受到了极大的关注，但对基于预训练模型的漏洞检测方法的解释研究却很少。因此，我们专注于为这些漏洞检测模型提供语句级别的可解释性，以帮助开发人员理解漏洞。更具体地说，给定模型检测到的易受攻击的代码，我们的任务是找到导致预测的一组与易受攻击相关的语句。受手工代码审查过程的启发，本文提出了一个解释漏洞检测的框架VDExplainer。VDExplainer包括一个浏览器，它使用顺序决策和概率抽样来查找漏洞相关语句的组合，以及一个导航器，它通过学习漏洞模式来帮助减少搜索空间。值得注意的是，导航器是经过预先培训，然后与资源管理器集成的，进一步提高了VDExplainer的效率和有效性。在半合成数据集和广泛使用的实际项目数据集上进行的大量实验表明，VDExplainer实现了卓越的性能，优于当前最先进的方法。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

VDExplainer: Sequential decision-making and probability sampling guided statement-level explanation for vulnerability detection

Most existing deep learning (DL) based vulnerability detection methods, including pre-trained models, are coarse-grained binary classification methods that lack the interpretability for detection results. Although the explanation of deep learning has received significant attention, there is little research on the explanation of pre-trained model-based vulnerability detection methods. Therefore, we focus on providing statement-level interpretability for these vulnerability detection models to help developers understand the vulnerabilities. More specifically, given a vulnerable code detected by the model, our task is to find the set of vulnerability-related statements that lead to the prediction. Inspired by the manual code review process, this paper proposes a framework for explaining vulnerability detection called VDExplainer. VDExplainer includes an explorer that uses sequential decision-making and probability sampling to find the combination of vulnerability-related statements and a navigator that helps reduce the search space by learning the vulnerability patterns. It is worth noting that the navigator is trained in advance and then integrated with the explorer, further enhancing the efficiency and effectiveness of VDExplainer. Extensive experiments on the semi-synthetic dataset and the widely used real-world project dataset show that VDExplainer achieves superior performance, outperforming current state-of-the-art methods.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.