Vulnerability detection is crucial for ensuring the security and reliability of software systems. Recently, Graph Neural Networks (GNNs) have emerged as a prominent code embedding approach for vulnerability detection, owing to their ability to capture the underlying semantic structure of source code. However, GNNs face significant challenges in explainability due to their inherently black-box nature. To this end, several factual reasoning-based explainers have been proposed. These explainers provide explanations for the predictions made by GNNs by analyzing the key features that contribute to the outcomes. We argue that these factual reasoning-based explanations cannot answer critical what-if questions: What would happen to the GNN's decision if we were to alter the code graph into alternative structures? Inspired by advancements of counterfactual reasoning in artificial intelligence, we propose CFExplainer, a novel counterfactual explainer for GNN-based vulnerability detection. Unlike factual reasoning-based explainers, CFExplainer seeks the minimal perturbation to the input code graph that leads to a change in the prediction, thereby addressing the what-if questions for vulnerability detection. We term this perturbation a counterfactual explanation, which can pinpoint the root causes of the detected vulnerability and furnish valuable insights for developers to undertake appropriate actions for fixing the vulnerability. Extensive experiments on four GNN-based vulnerability detection models demonstrate the effectiveness of CFExplainer over existing state-of-the-art factual reasoning-based explainers.

翻译：漏洞检测对于确保软件系统的安全性和可靠性至关重要。近年来，图神经网络（GNN）凭借其捕捉源代码底层语义结构的能力，已成为漏洞检测领域一种突出的代码嵌入方法。然而，由于GNN本质上属于黑箱模型，其在可解释性方面面临重大挑战。为此，学界提出了一系列基于事实推理的解释器。这些解释器通过分析导致预测结果的关键特征，为GNN的决策提供解释。我们认为，这些基于事实推理的解释无法回答关键的假设性问题：如果将代码图调整为其他结构，GNN的决策将会发生什么变化？受人工智能领域反事实推理进展的启发，我们提出CFExplainer，一种用于基于GNN的漏洞检测的新型反事实解释器。与基于事实推理的解释器不同，CFExplainer致力于寻找对输入代码图的最小扰动，该扰动能导致预测结果发生变化，从而解答漏洞检测中的假设性问题。我们将这种扰动称为反事实解释，它能够精确定位检测到漏洞的根本原因，并为开发人员提供宝贵见解，使其能够采取适当措施修复漏洞。在四种基于GNN的漏洞检测模型上进行的大量实验表明，CFExplainer相较于现有最先进的基于事实推理的解释器具有显著优势。