Deep learning vulnerability detection has shown promising results in recent years. However, an important challenge that still blocks it from being very useful in practice is that the model is not robust under perturbation and it cannot generalize well over the out-of-distribution (OOD) data, e.g., applying a trained model to unseen projects in real world. We hypothesize that this is because the model learned non-robust features, e.g., variable names, that have spurious correlations with labels. When the perturbed and OOD datasets no longer have the same spurious features, the model prediction fails. To address the challenge, in this paper, we introduced causality into deep learning vulnerability detection. Our approach CausalVul consists of two phases. First, we designed novel perturbations to discover spurious features that the model may use to make predictions. Second, we applied the causal learning algorithms, specifically, do-calculus, on top of existing deep learning models to systematically remove the use of spurious features and thus promote causal based prediction. Our results show that CausalVul consistently improved the model accuracy, robustness and OOD performance for all the state-of-the-art models and datasets we experimented. To the best of our knowledge, this is the first work that introduces do calculus based causal learning to software engineering models and shows it's indeed useful for improving the model accuracy, robustness and generalization. Our replication package is located at https://figshare.com/s/0ffda320dcb96c249ef2.

翻译：深度学习漏洞检测近年来取得了显著进展。然而，其在实际应用中仍面临一个重要挑战：模型在扰动下缺乏鲁棒性，且难以在分布外(OOD)数据上实现良好泛化（例如将训练好的模型应用于现实世界中未见过的项目）。我们假设这是由于模型学习了与标签存在虚假关联的非鲁棒特征（如变量名）所致。当扰动数据集和OOD数据集不再包含相同的虚假特征时，模型预测便会失效。为解决这一挑战，本文首次将因果推断引入深度学习漏洞检测领域。我们的方法CausalVul包含两个阶段：首先，设计新型扰动以发现模型可能用于预测的虚假特征；其次，在现有深度学习模型基础上应用因果学习算法（特别是do-演算），系统性地消除虚假特征的影响，从而促进基于因果关系的预测。实验结果表明，在我们测试的所有最先进模型和数据集上，CausalVul均能稳定提升模型精度、鲁棒性和OOD性能。据我们所知，这是首个将基于do-演算的因果学习引入软件工程模型的研究，并验证了其在提升模型精度、鲁棒性和泛化能力方面的实际有效性。我们的复现包位于https://figshare.com/s/0ffda320dcb96c249ef2。