Skip to main content

Research Repository

Advanced Search

Reasoning with counterfactual explanations for code vulnerability detection and correction.

Wikekoon, Anjana; Wiratunga, Nirmalie

Authors



Contributors

Sadiq Sani
Editor

Abstract

Counterfactual explanations highlight "actionable knowledge" which helps the end-users to understand how a machine learning outcome could be changed to a more desirable outcome. In code vulnerability detection, understanding these "actionable" corrections can be critical to proactively mitigate security attacks that are caused by known vulnerabilities. In this paper, we present the case-based explainer DisCERN for counterfactual discovery with code data. DisCERN explainer finds counterfactuals to explain the outcomes of black-box vulnerability detection models and highlight actionable corrections to guide the user. DisCERN uses feature relevance explainer knowledge as a proxy to discover potentially vulnerable code statements and then used a novel substitution algorithm based on pattern matching to find corrections from the nearest unlike neighbour. The overall aim of DisCERN is to identify vulnerabilities and correct them with minimal changes necessary. We evaluate DisCERN using the NIST Java SAR dataset to find that DisCERN finds counterfactuals for 96% of the test instances with 13 ~ 14 statement changes in each test instance. Additionally, we present example counterfactuals found using DisCERN to qualitatively evaluate the algorithm.

Citation

WIJEKOON, A. and WIRATUNGA, N. 2021. Reasoning with counterfactual explanations for code vulnerability detection and correction. In Sani, S. and Kalutarage, H. (eds.) AI and cybersecurity 2021 (AI-Cybersec 2021): proceedings of the workshop on AI and cybersecurity (AI-Cybersec 2021) co-located with 41st (British Computer Society's Specialist Group on Artificial Intelligence) SGAI international conference on artificial intelligence (SGAI 2021), 14 December 2021, Cambridge, UK: [virtual conference]. Aachen: CEUR Workshop Proceedings [online], 3125, pages 1-13. Available from: http://ceur-ws.org/Vol-3125/paper1.pdf 14 December 2021, Cambridge, UK: [virtual event]. Aachen: CEUR Workshop Proceedings [online], 3125, pages 1-13. Available from: http://ceur-ws.org/Vol-3125/paper1.pdf

Conference Name 2021 Workshop on AI and cybersecurit (AI-Cybersec 2021), co-located with 41st (British Computer Society's Specialist Group on Artificial Intelligence) SGAI international conference on artificial intelligence (SGAI 2021)
Conference Location Cambridge, UK
Start Date Dec 14, 2021
Acceptance Date Nov 21, 2021
Online Publication Date Dec 14, 2021
Publication Date Apr 17, 2022
Deposit Date May 5, 2022
Publicly Available Date May 5, 2022
Publisher CEUR Workshop Proceedings
Pages 1-13
Series Title CEUR workshop proceedings
Series Number 3125
Series ISSN 1613-0073
Book Title AI and cybersecurity 2021 (AI-Cybersec 2021): proceedings of the Workshop on AI and Cybersecurity (AI-Cybersec 2021) co-located with 41st (British Computer Society's Specialist Group on Artificial Intelligence) SGAI international conference on artificial
Keywords Counterfactual explanations; Vulnerability detection; Explainable AI
Public URL https://rgu-repository.worktribe.com/output/1654358
Publisher URL http://ceur-ws.org/Vol-3125/

Files





You might also like



Downloadable Citations