Research On Automatic Generation Of Vulnerability Features For Program Code

Detecting software vulnerabilities is an important problem and a recent development in tackling the problem is the use of deep learning models to detect software vulnerabilities.However,it is hard to explain why a deep learning model predicts a piece of code as vulnerable or not because of the black-box nature of deep learning.Indeed,the automatic generation of vulnerability features is a daunting open problem.In this paper,we take a step towards tackling the interpretability of deep learning models under the vulnerability detection scenes to solve the problem of automatic generation of vulnerability features based on vulnerability-related code.Specifically,we introduce a high-fidelity explanation method,which aims to identify a small number of feature values that make significant contributions to a model's prediction with respect to an example through a heuristic algorithm,and sort the important features according to their importance.We assess the fidelity of the interpretation method and further extract human-understandable rules of vulnerability from the model based on important tokens to achieve an understanding of deep learning prediction results.We conduct experiments on fidelity evaluation and extraction of vulnerability rules.In order to evaluate the fidelity of the model interpretation method,we compared with other existing model interpretation methods on a software vulnerability detector based on deep learning proposed by the predecessors.Systematic experiments show that in the model impact fidelity evaluation,the method indeed reaches 1.3 times or more than existing methods according to the VPC.In the end-to-end impact fidelity evaluation,our interpretation method shows a 24% lower PCR than the average PCR of existing methods,which means our method better than the existing methods.In particular,the method can produce some human-understandable vulnerability rules that can be used by domain experts for accepting a detector's outputs(i.e.,true positives)or rejecting a detector's outputs(i.e.,false-positives and false-negatives)according to the meaning of the rules.Some of the rules can match the vulnerability rules artificially formulated by domain experts in commercial vulnerability detection tools.