Computer Science

Computer Science ›› 2026, Vol. 53 ›› Issue (6): 427-436.doi: 10.11896/jsjkx.250800076

• Information Security • Previous Articles     Next Articles

CausalVulGNN:Framework for Software Vulnerability Explanation Based on Causal Inferenceand Graph Neural Networks

ZHANG Xin, CHEN Wen   

  1. School of Cyber Science and Engineering,Sichuan University,Chengdu 610207,China
  • Received:2025-08-18 Revised:2025-10-29 Online:2026-06-15 Published:2026-06-09
  • About author:ZHANG Xin,born in 1998,postgra-duate.His main research interests include machine learning and vulnerability mining.
    CHEN Wen,born in 1983,Ph.D,asso-ciate professor,Ph.D supervisor.His main research interests include cyber security and data mining.
  • Supported by:
    National Key Research and Development Program of China(020YFB1805405).

PDF (PC)

45

Abstract: Vulnerability explanation is a critical task in software vulnerability mining,aiming to uncover the root causes of vulnerability formation and improve the quality of vulnerability remediation.Existing approaches for vulnerability explanation can be broadly categorized into factual reasoning and counterfactual reasoning methods.Factual reasoning focuses on identifying code subgraphs that are highly correlated with the model's prediction,while counterfactual reasoning seeks to discover subgraphs responsible for vulnerabilities by applying minimal perturbations that change the model's output.However,traditional methods lack explicit modeling of the causal relationships between code and vulnerabilities,making it difficult to distinguish spurious variables(spurious subgraphs)that are only statistically correlated with the vulnerability from the true causal variables(causal subgraphs)that directly lead to vulnerability formation.As a result,vulnerability explanation can be misled by spurious correlations,producing inaccurate conclusions.To address this issue,this paper proposes CausalVulGNN,a causal explanation framework for vulnerability analysis based on graph neural networks (GNNs).The proposed method firstly employs multi-layer GNN aggregation to capture structural and semantic features by integrating local node and edge information within the code graph.Then,it introduces a sample reweighting mechanism and a causal structure model(CSM)based on the Hilbert-Schmidt independence criterion(HSIC)to model causal relationships among high-level GNN representations.Unlike traditional correlation-based approaches,CSM simulates perturbations to high-level variables and quantifies their direct impact on model predictions,enabling the identification of subgraphs that are truly causal to vulnerabilities.This helps eliminate spurious subgraphs that are only statistically correlated with the output,thereby improving the fidelity of explanations.Experimental results demonstrate that CausalVulGNN achieves significant performance improvements across multiple vulnerability detection models and explanation methods,validating its effectiveness from a causal inference perspective.Systematic experiments are conducted on the real-world large-scale vulnerability dataset Big-Vul,covering popular detection models such as GCN,GGNN,GIN,and GraphConv.The results show that integrating CausalVulGNN leads to substantial improvements in standard explanation metrics(Accuracy,Precision,Recall,and F1-score)for widely used explainers including CFExplainer,GNNExplainer,and GNN-LRP.In particular,CFExplainer achieves an average 19.6% increase in Accuracy and over 28% improvement in Recall,confirming the effectiveness of CausalVulGNN for vulnerability explanation and analysis.

Key words: Causal representation learning, Vulnerability explanation, Graph neural networks, Spurious correlation elimination, Sample reweighting, Independence criterion

CLC Number: 

  • TP181
[1]CHENG X,WANG H,HUA J,et al.Deepwukong:Statically detecting software vulnerabilities using deep graph neural network[J].ACM Transactions on Software Engineering and Methodology,2021,30(3):1-33.
[2]GUO W,FANG Y,HUANG C,et al.HyVulDect:A hybrid semantic vulnerability mining system based on graph neural network[J].Computers & Security,2022,121:102823.
[3]HIN D,KAN A,CHEN H,et al.Linevd:Statement-level vul-nerability detection using graph neural networks[C]//Procee-dings of the 19th International Conference on Mining SoftwareRepositories.ACM,2022:596-607.
[4]GANZ T,HÄRTERICH M,WARNECKE A,et al.Explaining graph neural networks for vulnerability discovery[C]//Procee-dings of the 14th ACM Workshop on Artificial Intelligence and Security.ACM,2021:145-156.
[5]HU Y,WANG S,LI W,et al.Interpreters for GNN-based vul-nerability detection:Are we there yet?[C]//Proceedings of the 32nd ACM SIGSOFT International Symposium on Software Testing and Analysis.ACM,2023:1407-1419.
[6]LI Y,WANG S,NGUYEN T N.Vulnerability detection withfine-grained interpretations[C]//Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering.ACM,2021:292-303.
[7]CHU Z,WAN Y,LI Q,et al.Graph neural networks for vulnerability detection:A counterfactual explanation[C]//Proceedings of the 33rd ACM SIGSOFT International Symposium on Software Testing and Analysis.ACM,2024:389-401.
[8]ZHANG X,CUI P,XU R,et al.Deep stable learning for out-of-distribution generalization[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.IEEE,2021:5372-5382.
[9]LAKE B M,ULLMAN T D,TENENBAUM J B,et al.Building machines that learn and think like people[J].Behavioral and Brain Sciences,2017,40:e253.
[10]MIAO S,LIU M,LI P.Interpretable and generalizable graph learning via stochastic attention mechanism[C]//Proceedings of the International Conference on Machine Learning.PMLR,2022:15524-15543.
[11]GRETTON A,BOUSQUET O,SMOLA A,et al.Measuringstatistical dependence with Hilbert-Schmidt norms[C]//Algorithmic Learning Theory.Berlin:Springer,2005:63-77.
[12]FAN J,LI Y,WANG S,et al.AC/C++ code vulnerability dataset with code changes and CVE summaries[C]//Procee-dings of the 17th International Conference on Mining Software Repositories.ACM,2020:508-512.
[13]YING Z,BOURGEOIS D,YOU J,et al.GNNExplainer:Generating explanations for graph neural networks[J].Advances in Neural Information Processing Systems,2019,32:9240-9251.
[14]NARASIMHAN M,LAZEBNIK S,SCHWING A.Out of thebox:Reasoning with graph convolution nets for factual visual question answering[J].Advances in Neural Information Processing Systems,2018,31:1014-1024.
[15]LUO L,LI Y F,HAFFARI G,et al.Reasoning on graphs:Faithful and interpretable large language model reasoning[J].arXiv:2310.01061,2023.
[16]SCHNAKE T,EBERLE O,LEDERER J,et al.Higher-order explanations of graph neural networks via relevant walks[J].IEEE Transactions on Pattern Analysis and Machine Intelligence,2021,44(11):7581-7596.
[17]ABRATE C,BONCHI F.Counterfactual graphs for explainable classification of brain networks[C]//Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery and Data Mining.ACM,2021:2495-2504.
[18]LI Q,WANG X,WANG Z,et al.Be causal:De-biasing socialnetwork confounding in recommendation[J].ACM Transactions on Knowledge Discovery from Data,2023,17(1):1-23.
[19]LI Q,WANG Z,LIU S,et al.Causal optimal transport for treatment effect estimation[J].IEEE Transactions on Neural Networks and Learning Systems,2021,34(8):4083-4095.
[20]YE W,ZHENG G,CAO X,et al.Spurious correlations in machine learning:A survey[J].arXiv:2402.12715,2024.
[21]YANG M,LIU F,CHEN Z,et al.CausalVAE:Disentangledrepresentation learning via neural structural causal models[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.IEEE,2021:9593-9602.
[22]SCHÖLKOPF B,LOCATELLO F,BAUER S,et al.Towardcausal representation learning[J].Proceedings of the IEEE,2021,109(5):612-634.
[23]LIAO R,URTASUN R,ZEMEL R.A pac-bayesian approach to generalization bounds for graph neural networks[J].arXiv:2012.07690,2020.
[24]ARJOVSKY M,BOTTOU L,GULRAJANI I,et al.Invariantrisk minimization[J].arXiv:1907.02893,2019.
[25]ROSENFELD E,RAVIKUMAR P,RISTESKI A.The risks of invariant risk minimization[J].arXiv:2010.05761,2020.
[26]KAMATH P,TANGELLA A,SUTHERLAND D,et al.Does invariant risk minimization capture invariance?[C]//Procee-dings of the International Conference on Artificial Intelligence and Statistics.PMLR,2021:4069-4077.
[27]QIAO F,ZHAO L,PENG X.Learning to learn single domain generalization[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.IEEE,2020:12556-12565.
[28]MATSUURA T,HARADA T.Domain generalization using a mixture of multiple latent domains[C]//Proceedings of the AAAI Conference on Artificial Intelligence.AAAI,2020:11749-11756.
[29]WANG H,HE Z,LIPTON Z C,et al.Learning robust representations by projecting superficial statistics out[J].arXiv:1903.06256,2019.
[30]YING Z,YOU J,MORRIS C,et al.Hierarchical graph representation learning with differentiable pooling[J].Advances in Neural Information Processing Systems,2018,31:4805-4815.
[31]FAN S,WANG X,SHI C,et al.Generalizing graph neural networks on out-of-distribution graphs[J].IEEE Transactions on Pattern Analysis and Machine Intelligence,2023,46(1):322-337.
[32]GUO D,REN S,LU S,et al.GraphCodeBERT:Pre-trainingcode representations with data flow[J].arXiv:2009.08366,2020.
[33]KINGMA D P,BA J.Adam:A method for stochastic optimization[J].arXiv:1412.6980,2014.
[34]FU M,TANTITHAMTHAVORN C.LineVul:A transformer-based line-level vulnerability prediction[C]//Proceedings of the 19th International Conference on Mining Software Repositories.ACM,2022:608-620.
[35]GU M,FENG H,SUN H,et al.Hierarchical attention network for interpretable and fine-grained vulnerability detection[C]//IEEE INFOCOM 2022-IEEE Conference on Computer Communications Workshops.IEEE,2022:1-6.
[36]ZHOU Y,LIU S,SIOW J,et al.Devign:Effective vulnerability identification by learning comprehensive program semantics via graph neural networks[J].Advances in Neural Information Processing Systems,2019,32:9570-9581.
[37]YAMAGUCHI F,GOLDE N,ARP D,et al.Modeling and discovering vulnerabilities with code property graphs[C]//Proceedings of the IEEE Symposium on Security and Privacy.IEEE,2014:590-604.
[38]YUAN H,YU H,GUI S,et al.Explainability in graph neuralnetworks:A taxonomic survey[J].IEEE Transactions on Pattern Analysis and Machine Intelligence,2022,45(5):5782-5799.
[39]KIPF T N,WELLING M.Semi-supervised classification withgraph convolutional networks[J].arXiv:1609.02907,2016.
[40]LI Y,TARLOW D,BROCKSCHMIDT M,et al.Gated graph sequence neural networks[J].arXiv:1511.05493,2015.
[41]XU K,HU W,LESKOVEC J,et al.How powerful are graphneural networks?[J].arXiv:1810.00826,2018.
[42]MORRIS C,RITZERT M,FEY M,et al.Weisfeiler and leman go neural:Higher-order graph neural networks[C]//Procee-dings of the AAAI Conference on Artificial Intelligence.AAAI,2019:4602-4609.
[1] WANG Jinghong, LI Pengchao, WANG Xizhao, ZHANG Zili. Dual-channel Graph Neural Network Based on KAN [J]. Computer Science, 2026, 53(3): 188-196.
[2] LIU Hongjian, ZOU Danping, LI Ping. Pedestrian Trajectory Prediction Method Based on Graph Attention Interaction [J]. Computer Science, 2026, 53(1): 97-103.
[3] LI Yaru, WANG Qianqian, CHE Chao, ZHU Deheng. Graph-based Compound-Protein Interaction Prediction with Drug Substructures and Protein 3D Information [J]. Computer Science, 2025, 52(9): 71-79.
[4] GUO Husheng, ZHANG Xufei, SUN Yujie, WANG Wenjian. Continuously Evolution Streaming Graph Neural Network [J]. Computer Science, 2025, 52(8): 118-126.
[5] LUO Xuyang, TAN Zhiyi. Knowledge-aware Graph Refinement Network for Recommendation [J]. Computer Science, 2025, 52(7): 103-109.
[6] HAO Jiahui, WAN Yuan, ZHANG Yuhang. Research on Node Learning of Graph Neural Networks Fusing Positional and StructuralInformation [J]. Computer Science, 2025, 52(7): 110-118.
[7] JIANG Kun, ZHAO Zhengpeng, PU Yuanyuan, HUANG Jian, GU Jinjing, XU Dan. Cross-modal Hypergraph Optimisation Learning for Multimodal Sentiment Analysis [J]. Computer Science, 2025, 52(7): 210-217.
[8] WANG Jinghong, WU Zhibing, WANG Xizhao, LI Haokang. Semantic-aware Heterogeneous Graph Attention Network Based on Multi-view RepresentationLearning [J]. Computer Science, 2025, 52(6): 167-178.
[9] WU Pengyuan, FANG Wei. Study on Graph Collaborative Filtering Model Based on FeatureNet Contrastive Learning [J]. Computer Science, 2025, 52(5): 139-148.
[10] WU Ying, YE Hailiang, CAO Feilong. Superpixel-level Graph Feature Learning Method for Hyperspectral Image Denoising [J]. Computer Science, 2025, 52(12): 189-199.
[11] ZHOU Yuchen, LI Peng, HAN Keji. Instruct-Malware:Control Flow Graph Based Large Language Model Analysis of Malware [J]. Computer Science, 2025, 52(11): 40-48.
[12] HU Haibo, YANG Dan, NIE Tiezheng, KOU Yue. Graph Contrastive Learning Incorporating Multi-influence and Preference for Social Recommendation [J]. Computer Science, 2024, 51(7): 146-155.
[13] PENG Bo, LI Yaodong, GONG Xianfu, LI Hao. Method for Entity Relation Extraction Based on Heterogeneous Graph Neural Networks and TextSemantic Enhancement [J]. Computer Science, 2024, 51(6A): 230700071-5.
[14] LU Min, YUAN Ziting. Graph Contrast Learning Based Multi-graph Neural Network for Session-based RecommendationMethod [J]. Computer Science, 2024, 51(5): 54-61.
[15] ZHENG Cheng, SHI Jingwei, WEI Suhua, CHENG Jiaming. Dual Feature Adaptive Fusion Network Based on Dependency Type Pruning for Aspect-basedSentiment Analysis [J]. Computer Science, 2024, 51(3): 205-213.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.