Reasoning with counterfactual explanations for code vulnerability detection and correction.

Wijekoon, Anjana; Wiratunga, Nirmalie

Authors

Dr Anjana Wijekoon a.wijekoon1@rgu.ac.uk
Research Fellow B

Professor Nirmalie Wiratunga n.wiratunga@rgu.ac.uk
Associate Dean for Research

Contributors

Sadiq Sani
Editor

Dr Harsha Kalutarage h.kalutarage@rgu.ac.uk
Editor

Abstract

Counterfactual explanations highlight "actionable knowledge" which helps the end-users to understand how a machine learning outcome could be changed to a more desirable outcome. In code vulnerability detection, understanding these "actionable" corrections can be critical to proactively mitigate security attacks that are caused by known vulnerabilities. In this paper, we present the case-based explainer DisCERN for counterfactual discovery with code data. DisCERN explainer finds counterfactuals to explain the outcomes of black-box vulnerability detection models and highlight actionable corrections to guide the user. DisCERN uses feature relevance explainer knowledge as a proxy to discover potentially vulnerable code statements and then used a novel substitution algorithm based on pattern matching to find corrections from the nearest unlike neighbour. The overall aim of DisCERN is to identify vulnerabilities and correct them with minimal changes necessary. We evaluate DisCERN using the NIST Java SAR dataset to find that DisCERN finds counterfactuals for 96% of the test instances with 13 ~ 14 statement changes in each test instance. Additionally, we present example counterfactuals found using DisCERN to qualitatively evaluate the algorithm.

Citation

WIJEKOON, A. and WIRATUNGA, N. 2021. Reasoning with counterfactual explanations for code vulnerability detection and correction. In Sani, S. and Kalutarage, H. (eds.) AI and cybersecurity 2021 (AI-Cybersec 2021): proceedings of the workshop on AI and cybersecurity (AI-Cybersec 2021) co-located with 41st (British Computer Society's Specialist Group on Artificial Intelligence) SGAI international conference on artificial intelligence (SGAI 2021), 14 December 2021, Cambridge, UK: [virtual conference]. Aachen: CEUR Workshop Proceedings [online], 3125, pages 1-13. Available from: http://ceur-ws.org/Vol-3125/paper1.pdf 14 December 2021, Cambridge, UK: [virtual event]. Aachen: CEUR Workshop Proceedings [online], 3125, pages 1-13. Available from: http://ceur-ws.org/Vol-3125/paper1.pdf

Conference Name	2021 Workshop on AI and cybersecurit (AI-Cybersec 2021), co-located with 41st (British Computer Society's Specialist Group on Artificial Intelligence) SGAI international conference on artificial intelligence (SGAI 2021)
Conference Location	Cambridge, UK
Start Date	Dec 14, 2021
Acceptance Date	Nov 21, 2021
Online Publication Date	Dec 14, 2021
Publication Date	Apr 17, 2022
Deposit Date	May 5, 2022
Publicly Available Date	May 5, 2022
Publisher	CEUR Workshop Proceedings
Pages	1-13
Series Title	CEUR workshop proceedings
Series Number	3125
Series ISSN	1613-0073
Book Title	AI and cybersecurity 2021 (AI-Cybersec 2021): proceedings of the Workshop on AI and Cybersecurity (AI-Cybersec 2021) co-located with 41st (British Computer Society's Specialist Group on Artificial Intelligence) SGAI international conference on artificial
Keywords	Counterfactual explanations; Vulnerability detection; Explainable AI
Public URL	https://rgu-repository.worktribe.com/output/1654358
Publisher URL	http://ceur-ws.org/Vol-3125/