Vulnerability detectors based on deep learning (DL) models have proven their effectiveness in recent years. However, the shroud of opacity surrounding the decision-making process of these detectors makes it difficult for security analysts to comprehend. To address this, various explanation approaches have been proposed to explain the predictions by highlighting important features, which have been demonstrated effective in other domains such as computer vision and natural language processing. Unfortunately, an in-depth evaluation of vulnerability-critical features, such as fine-grained vulnerability-related code lines, learned and understood by these explanation approaches remains lacking. In this study, we first evaluate the performance of ten explanation approaches for vulnerability detectors based on graph and sequence representations, measured by two quantitative metrics including fidelity and vulnerability line coverage rate. Our results show that fidelity alone is not sufficient for evaluating these approaches, as fidelity incurs significant fluctuations across different datasets and detectors. We subsequently check the precision of the vulnerability-related code lines reported by the explanation approaches, and find poor accuracy in this task among all of them. This can be attributed to the inefficiency of explainers in selecting important features and the presence of irrelevant artifacts learned by DL-based detectors.

翻译：基于深度学习（DL）模型的漏洞检测器近年来已证明其有效性。然而，这些检测器决策过程的不透明性使得安全分析师难以理解其机制。为此，研究者提出了多种解释方法来通过突出重要特征解释预测结果，这类方法在计算机视觉和自然语言处理等领域已展现出有效性。遗憾的是，现有研究仍缺乏对这些解释方法所习得并理解的漏洞关键特征（如细粒度的漏洞相关代码行）进行深度评估。本研究首先基于保真度和漏洞行覆盖率两项量化指标，评估了十种面向图表示和序列表示的漏洞检测器解释方法的性能。结果表明，保真度不足以作为评估标准，因其在不同数据集和检测器上均存在显著波动。我们随后检验了解释方法报告的漏洞相关代码行的精确性，发现所有方法在此任务中均表现不佳。这一现象可归因于解释器在特征选择上的低效性，以及基于深度学习检测器中习得的不相关伪影的存在。