VulEXplaineR: XAI for Vulnerability Detection on Assembly Code

Samaneh Mahdavifar; Mohd Saqib; Benjamin C.M. Fung; Philippe Charland; Andrew Walenstein

doi:10.1007/978-3-031-70378-2_1

VulEXplaineR: XAI for Vulnerability Detection on Assembly Code

Samaneh Mahdavifar^*
, Mohd Saqib
, Benjamin C.M. Fung
, Philippe Charland
, Andrew Walenstein

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

3 Scopus citations

Abstract

Software vulnerabilities have posed significant threats to on-premise as well as cloud servers and applications. So far, numerous studies have focused on identifying and addressing software vulnerabilities at the binary level. Traditional approaches often involve highly complicated static and dynamic analysis techniques. Current intelligent methods are not explainable to reverse engineers, making them incapable of validating the detected vulnerabilities. In this paper, we propose VulEXplaineR, an XAI method for vulnerability detection based on assembly code. It employs BERT for block embedding, augmented with TFIDF of blocks and operand types information, to provide an effective vulnerability detection/explanation framework. VulEXplaineR takes a trained GCNN and its predictions and returns an explanation in the form of a small subgraph of the input graph. It is based on PGExplainer, a perturbation-based global explanation model for GNNs. We augment edge distribution with the edge feature in the form of intra-function jumps between blocks or inter-function calls between functions. The experimental results on the NDSS2018 and Juliet Test datasets demonstrate that VulEXplaineR outperforms the current state-of-the-art baselines in vulnerability detection. Unlike other baseline models, VulEXplaineR provides a high level of explainability as a complementary aid to a reverse engineer, for a more accurate function analysis. We measure fidelity to demonstrate how much two predictions from the extracted subgraph and the original graph match. Furthermore, we conduct a case study to show that VulEXplaineR not only identifies functions and basic blocks that cause the vulnerability, but also highlights interdependencies between those functions and blocks.

Original language	English
Title of host publication	Machine Learning and Knowledge Discovery in Databases. Applied Data Science Track - European Conference, ECML PKDD 2024, Proceedings
Editors	Albert Bifet, Tomas Krilavičius, Ioanna Miliou, Slawomir Nowaczyk
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	3-20
Number of pages	18
ISBN (Print)	9783031703775
DOIs	https://doi.org/10.1007/978-3-031-70378-2_1
State	Published - 2024
Externally published	Yes
Event	European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases, ECML PKDD 2024 - Vilnius, Lithuania Duration: 9 Sep 2024 → 13 Sep 2024

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	14949 LNAI
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases, ECML PKDD 2024
Country/Territory	Lithuania
City	Vilnius
Period	9/09/24 → 13/09/24

Bibliographical note

Publisher Copyright:
© Crown 2024.

Keywords

BERT
TFIDF
Vulnerability
assembly code
block embedding
explainability
graph neural network
subgraph

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-031-70378-2_1

Cite this

Mahdavifar, S., Saqib, M., Fung, B. C. M., Charland, P., & Walenstein, A. (2024). VulEXplaineR: XAI for Vulnerability Detection on Assembly Code. In A. Bifet, T. Krilavičius, I. Miliou, & S. Nowaczyk (Eds.), Machine Learning and Knowledge Discovery in Databases. Applied Data Science Track - European Conference, ECML PKDD 2024, Proceedings (pp. 3-20). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14949 LNAI). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-70378-2_1

Mahdavifar, Samaneh ; Saqib, Mohd ; Fung, Benjamin C.M. et al. / VulEXplaineR : XAI for Vulnerability Detection on Assembly Code. Machine Learning and Knowledge Discovery in Databases. Applied Data Science Track - European Conference, ECML PKDD 2024, Proceedings. editor / Albert Bifet ; Tomas Krilavičius ; Ioanna Miliou ; Slawomir Nowaczyk. Springer Science and Business Media Deutschland GmbH, 2024. pp. 3-20 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{20e2c4af856f47ed9727eb5436f49562,

title = "VulEXplaineR: XAI for Vulnerability Detection on Assembly Code",

abstract = "Software vulnerabilities have posed significant threats to on-premise as well as cloud servers and applications. So far, numerous studies have focused on identifying and addressing software vulnerabilities at the binary level. Traditional approaches often involve highly complicated static and dynamic analysis techniques. Current intelligent methods are not explainable to reverse engineers, making them incapable of validating the detected vulnerabilities. In this paper, we propose VulEXplaineR, an XAI method for vulnerability detection based on assembly code. It employs BERT for block embedding, augmented with TFIDF of blocks and operand types information, to provide an effective vulnerability detection/explanation framework. VulEXplaineR takes a trained GCNN and its predictions and returns an explanation in the form of a small subgraph of the input graph. It is based on PGExplainer, a perturbation-based global explanation model for GNNs. We augment edge distribution with the edge feature in the form of intra-function jumps between blocks or inter-function calls between functions. The experimental results on the NDSS2018 and Juliet Test datasets demonstrate that VulEXplaineR outperforms the current state-of-the-art baselines in vulnerability detection. Unlike other baseline models, VulEXplaineR provides a high level of explainability as a complementary aid to a reverse engineer, for a more accurate function analysis. We measure fidelity to demonstrate how much two predictions from the extracted subgraph and the original graph match. Furthermore, we conduct a case study to show that VulEXplaineR not only identifies functions and basic blocks that cause the vulnerability, but also highlights interdependencies between those functions and blocks.",

keywords = "BERT, TFIDF, Vulnerability, assembly code, block embedding, explainability, graph neural network, subgraph",

author = "Samaneh Mahdavifar and Mohd Saqib and Fung, \{Benjamin C.M.\} and Philippe Charland and Andrew Walenstein",

note = "Publisher Copyright: {\textcopyright} Crown 2024.; European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases, ECML PKDD 2024 ; Conference date: 09-09-2024 Through 13-09-2024",

year = "2024",

doi = "10.1007/978-3-031-70378-2\_1",

language = "English",

isbn = "9783031703775",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "3--20",

editor = "Albert Bifet and Tomas Krilavi{\v c}ius and Ioanna Miliou and Slawomir Nowaczyk",

booktitle = "Machine Learning and Knowledge Discovery in Databases. Applied Data Science Track - European Conference, ECML PKDD 2024, Proceedings",

address = "Germany",

}

Mahdavifar, S, Saqib, M, Fung, BCM, Charland, P & Walenstein, A 2024, VulEXplaineR: XAI for Vulnerability Detection on Assembly Code. in A Bifet, T Krilavičius, I Miliou & S Nowaczyk (eds), Machine Learning and Knowledge Discovery in Databases. Applied Data Science Track - European Conference, ECML PKDD 2024, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 14949 LNAI, Springer Science and Business Media Deutschland GmbH, pp. 3-20, European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases, ECML PKDD 2024, Vilnius, Lithuania, 9/09/24. https://doi.org/10.1007/978-3-031-70378-2_1

VulEXplaineR: XAI for Vulnerability Detection on Assembly Code. / Mahdavifar, Samaneh; Saqib, Mohd; Fung, Benjamin C.M. et al.
Machine Learning and Knowledge Discovery in Databases. Applied Data Science Track - European Conference, ECML PKDD 2024, Proceedings. ed. / Albert Bifet; Tomas Krilavičius; Ioanna Miliou; Slawomir Nowaczyk. Springer Science and Business Media Deutschland GmbH, 2024. p. 3-20 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 14949 LNAI).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - VulEXplaineR

T2 - European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases, ECML PKDD 2024

AU - Mahdavifar, Samaneh

AU - Saqib, Mohd

AU - Fung, Benjamin C.M.

AU - Charland, Philippe

AU - Walenstein, Andrew

N1 - Publisher Copyright: © Crown 2024.

PY - 2024

Y1 - 2024

N2 - Software vulnerabilities have posed significant threats to on-premise as well as cloud servers and applications. So far, numerous studies have focused on identifying and addressing software vulnerabilities at the binary level. Traditional approaches often involve highly complicated static and dynamic analysis techniques. Current intelligent methods are not explainable to reverse engineers, making them incapable of validating the detected vulnerabilities. In this paper, we propose VulEXplaineR, an XAI method for vulnerability detection based on assembly code. It employs BERT for block embedding, augmented with TFIDF of blocks and operand types information, to provide an effective vulnerability detection/explanation framework. VulEXplaineR takes a trained GCNN and its predictions and returns an explanation in the form of a small subgraph of the input graph. It is based on PGExplainer, a perturbation-based global explanation model for GNNs. We augment edge distribution with the edge feature in the form of intra-function jumps between blocks or inter-function calls between functions. The experimental results on the NDSS2018 and Juliet Test datasets demonstrate that VulEXplaineR outperforms the current state-of-the-art baselines in vulnerability detection. Unlike other baseline models, VulEXplaineR provides a high level of explainability as a complementary aid to a reverse engineer, for a more accurate function analysis. We measure fidelity to demonstrate how much two predictions from the extracted subgraph and the original graph match. Furthermore, we conduct a case study to show that VulEXplaineR not only identifies functions and basic blocks that cause the vulnerability, but also highlights interdependencies between those functions and blocks.

AB - Software vulnerabilities have posed significant threats to on-premise as well as cloud servers and applications. So far, numerous studies have focused on identifying and addressing software vulnerabilities at the binary level. Traditional approaches often involve highly complicated static and dynamic analysis techniques. Current intelligent methods are not explainable to reverse engineers, making them incapable of validating the detected vulnerabilities. In this paper, we propose VulEXplaineR, an XAI method for vulnerability detection based on assembly code. It employs BERT for block embedding, augmented with TFIDF of blocks and operand types information, to provide an effective vulnerability detection/explanation framework. VulEXplaineR takes a trained GCNN and its predictions and returns an explanation in the form of a small subgraph of the input graph. It is based on PGExplainer, a perturbation-based global explanation model for GNNs. We augment edge distribution with the edge feature in the form of intra-function jumps between blocks or inter-function calls between functions. The experimental results on the NDSS2018 and Juliet Test datasets demonstrate that VulEXplaineR outperforms the current state-of-the-art baselines in vulnerability detection. Unlike other baseline models, VulEXplaineR provides a high level of explainability as a complementary aid to a reverse engineer, for a more accurate function analysis. We measure fidelity to demonstrate how much two predictions from the extracted subgraph and the original graph match. Furthermore, we conduct a case study to show that VulEXplaineR not only identifies functions and basic blocks that cause the vulnerability, but also highlights interdependencies between those functions and blocks.

KW - BERT

KW - TFIDF

KW - Vulnerability

KW - assembly code

KW - block embedding

KW - explainability

KW - graph neural network

KW - subgraph

UR - https://www.scopus.com/pages/publications/85203869541

U2 - 10.1007/978-3-031-70378-2_1

DO - 10.1007/978-3-031-70378-2_1

M3 - Conference contribution

AN - SCOPUS:85203869541

SN - 9783031703775

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 3

EP - 20

BT - Machine Learning and Knowledge Discovery in Databases. Applied Data Science Track - European Conference, ECML PKDD 2024, Proceedings

A2 - Bifet, Albert

A2 - Krilavičius, Tomas

A2 - Miliou, Ioanna

A2 - Nowaczyk, Slawomir

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 9 September 2024 through 13 September 2024

ER -

Mahdavifar S, Saqib M, Fung BCM, Charland P, Walenstein A. VulEXplaineR: XAI for Vulnerability Detection on Assembly Code. In Bifet A, Krilavičius T, Miliou I, Nowaczyk S, editors, Machine Learning and Knowledge Discovery in Databases. Applied Data Science Track - European Conference, ECML PKDD 2024, Proceedings. Springer Science and Business Media Deutschland GmbH. 2024. p. 3-20. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-031-70378-2_1