Deep learning vulnerability detection has shown promising results in recent years. However, an important challenge that still blocks it from being very useful in practice is that the model is not robust under perturbation and it cannot generalize well over the out-of-distribution (OOD) data, e.g., applying a trained model to unseen projects in real world. We hypothesize that this is because the model learned non-robust features, e.g., variable names, that have spurious correlations with labels. When the perturbed and OOD datasets no longer have the same spurious features, the model prediction fails. To address the challenge, in this paper, we introduced causality into deep learning vulnerability detection. Our approach CausalVul consists of two phases. First, we designed novel perturbations to discover spurious features that the model may use to make predictions. Second, we applied the causal learning algorithms, specifically, do-calculus, on top of existing deep learning models to systematically remove the use of spurious features and thus promote causal based prediction. Our results show that CausalVul consistently improved the model accuracy, robustness and OOD performance for all the state-of-the-art models and datasets we experimented. To the best of our knowledge, this is the first work that introduces do calculus based causal learning to software engineering models and shows it's indeed useful for improving the model accuracy, robustness and generalization. Our replication package is located at https://figshare.com/s/0ffda320dcb96c249ef2.

翻译：近年来，深度学习在漏洞检测领域取得了显著进展。然而，阻碍其在实际应用中发挥效用的关键挑战在于：模型在扰动下缺乏鲁棒性，且难以泛化到分布外数据（例如将训练好的模型应用于现实世界中未见过的项目）。我们假设这是由于模型学习了与标签存在虚假关联的非鲁棒特征（例如变量名）。当扰动数据和分布外数据不再包含相同的虚假特征时，模型预测便会失效。为应对这一挑战，本文首次将因果理论引入深度学习漏洞检测。我们提出的CausalVul方法包含两个阶段：首先，设计新型扰动机制来发现模型可能用于预测的虚假特征；其次，在现有深度学习模型基础上应用因果学习算法（具体为do-calculus）系统性地消除虚假特征的影响，从而促进基于因果关系的预测。实验结果表明，CausalVul在所有最先进模型和数据集上均能持续提升模型的准确性、鲁棒性及分布外性能。据我们所知，这是首个将基于do-calculus的因果学习应用于软件工程模型的研究，并证明了该方法对提升模型准确性、鲁棒性和泛化能力的实际效用。我们的复现实验包托管于https://figshare.com/s/0ffda320dcb96c249ef2。