Deep learning vulnerability detection has shown promising results in recent years. However, an important challenge that still blocks it from being very useful in practice is that the model is not robust under perturbation and it cannot generalize well over the out-of-distribution (OOD) data, e.g., applying a trained model to unseen projects in real world. We hypothesize that this is because the model learned non-robust features, e.g., variable names, that have spurious correlations with labels. When the perturbed and OOD datasets no longer have the same spurious features, the model prediction fails. To address the challenge, in this paper, we introduced causality into deep learning vulnerability detection. Our approach CausalVul consists of two phases. First, we designed novel perturbations to discover spurious features that the model may use to make predictions. Second, we applied the causal learning algorithms, specifically, do-calculus, on top of existing deep learning models to systematically remove the use of spurious features and thus promote causal based prediction. Our results show that CausalVul consistently improved the model accuracy, robustness and OOD performance for all the state-of-the-art models and datasets we experimented. To the best of our knowledge, this is the first work that introduces do calculus based causal learning to software engineering models and shows it's indeed useful for improving the model accuracy, robustness and generalization. Our replication package is located at https://figshare.com/s/0ffda320dcb96c249ef2.

翻译：近年来，深度学习在漏洞检测领域展现出令人瞩目的成果。然而，该技术在实际应用中仍面临重要挑战：模型在扰动下缺乏鲁棒性，且对分布外数据（如将训练模型应用于真实场景中未见过的项目）泛化能力不足。我们假设这是由于模型学习了非鲁棒特征（例如变量名）与标签之间存在的虚假相关性所致。当扰动数据集与分布外数据集不再包含相同的虚假特征时，模型预测便会失效。为解决这一挑战，本文首次将因果性引入深度学习漏洞检测领域。我们提出的CausalVul方法包含两个阶段：首先，设计新型扰动机制以发现模型可能用于预测的虚假特征；其次，在现有深度学习模型基础上应用因果学习算法（具体为do-calculus），系统性消除虚假特征的使用，从而促进基于因果关系的预测。实验结果表明，CausalVul显著提升了我们在所有先进模型和数据集上的准确性、鲁棒性和分布外性能。据我们所知，这是首次将基于do-calculus的因果学习应用于软件工程模型，并证实其确实能有效提升模型准确性、鲁棒性与泛化能力。我们的复现包托管于https://figshare.com/s/0ffda320dcb96c249ef2。