Incorporating Signal Awareness in Source Code Modeling: An Application to Vulnerability Detection

Over the past few years, AI models have made significant progress in source code understanding tasks, such as function and variable naming [4, 5, 9, 71], code summarization [6, 41, 51, 83], code recommendation [57, 81], code completion [23, 66, 70], defect detection [26, 34, 37, 69, 74, 92], bug fixing [110, 111], amongst others [11, 117]. The wide availability of open source codebases has fueled this progress, and we have started to see the adoption of such AI models of code in software development workflows [7, 36, 107]. Ever more sophisticated models are emerging and pushing the state of the art rapidly. Although each new model improves upon its predecessor’s prediction performance in terms of F1 and accuracy measures, what remains relatively unexplored is whether the models are picking up the correct signals to arrive at their predictions.

From a model’s perspective, it might be doing an excellent job of learning to differentiate samples belonging to separate classes (e.g., “buggy” or “healthy” code in a vulnerability detection setting). But, as we observe, it may very well be the case that it does so by picking up noise or certain nuances from the dataset for their predictions, which are not representative to the task at hand. This includes learning unexpected correlations between samples and certain keywords or programming constructs like ifs/loops/variable names, which may be more prevalent in one sample class than the other. Learning class separators in this way could yield great classification performance, which may be perfectly acceptable in a theoretical or statistical setting. But, models influenced by such dataset nuances, as opposed to capturing task-relevant aspects of source code, are prone to failures when applied in real-world settings [8, 30, 85]. Ideally, a reliable vulnerability detection model, for example, would learn features or aspects of code directly related to or indicative of bugs, such as pairing mallocs and frees to detect potential resource leaks in program branches. Or, a lack of value-range validation of a variable prior to its use as a memory allocation size argument, indicating a potential buffer overflow vulnerability.

We refer to this aspect of the model’s quality signal awareness, i.e., learning the relevant signals in the input for making predictions, and explore it using a software vulnerability detection use-case. What used to be a domain traditionally dominated by static and dynamic analysis has recently witnessed assistance and competition from AI models. The high false positives of static analyzers and the lack of completeness of dynamic analysis are a few reasons promoting the entry of AI into this field [60, 109, 121]. However, unlike the rules and path/flow analysis of static analyzers and the execution tracing of dynamic analysis, it remains unclear as to what signals the AI models actually pick up for detecting vulnerabilities in source code. AI-based detectors, potentially learning task-irrelevant features, can lead to a false sense of security when applied to real-world usage, as substitutes for traditional source code analyzers. By enabling measurement of the model signal awareness, we can use it to guide the development of models that not only exhibit high accuracy but are also based on features relevant to the given task.

In this work, we perform a comprehensive exploration of model signal awareness—including its measurement, enhancement, and introspection. Our experience experimenting with existing models led us to doubt their quality in terms of what they are actually learning (Figure 1; Section 2). We thus started exploring ways to figure out if the models are capturing task-relevant signals. To assess model quality from this perspective, we developed a data-driven technique while treating the model as a black-box. This uncovered a lack of signal awareness in the current models, which motivated us to assist them toward focusing more on task-relevant aspects of source code (Figure 2; Section 2). We observed that not all code snippets are the same; some are more “noisy” than others—containing code not directly relevant to the learning task at hand. We targeted reducing this noise whilst preserving task-relevant signals. To this end, the concept of code complexity offered us a way to distinguish the different training samples, and we explored ways to introduce this code-complexity awareness in the models. We developed two code-centric approaches to guide model learning in this manner, and observed a subsequent improvement in the model signal awareness. To visualize how this altered model training scheme might have improved its signal awareness, we devised a way to introspect model learning from the perspective of the dataset. The code-level interpretations and developer-friendly insights generated by our approach can help assert trust in the models as they integrate with software development workflows. Figure 3 presents a view of all our approaches co-existing within the model training pipeline, described in detail in Section 4.

Briefly, the central idea of our model-probing approach is to first reduce the original source code input to a trained model into a minimal snippet, without changing the model prediction. This represents the minimal excerpt of the original code, which the model requires to arrive and maintain its original prediction. Then, taking the example of vulnerability detection, the model’s signal-awareness is determined by verifying if the minimal snippet contains the same vulnerability as the original code (Figure 4; Section 4.2). To improve model learning, we incorporate the notion of code complexity in the model training process, by (i) presenting programs in increasing order of their code complexity to the models, and (ii) generating simplified signal-preserving programs and augmenting them to the training dataset. Finally, we deduce model learning behaviour by comparing the code complexity of the samples grouped by their prediction accuracy from the model.

Results show substantial improvements in a model’s signal awareness when assisted with our approaches, across different datasets and models. Complexity-ranked training can provide up to 32% boost to the model’s Signal-aware Recall whereas program-simplification-based augmentation surpasses it, realizing up to \(4.8\times\) improvement. We use our data-driven model introspection approach to analyze these model learning improvements achieved. Amongst the model learning insights provided by our approach, is the issue of the models facing difficulty in understanding bigger (and more complex) code samples, which interestingly alleviates as augmentation levels increase.

Being data-driven, all our approaches are independent of the model learning algorithm, the learning task, and the source code programming language employed. We apply our approaches on three different neural network architectures operating on different popular representations of source code in the AI domain: (i) a convolutional neural network (CNN) treating code as a photo, (ii) a recurrent neural network (RNN) treating code as a linear sequence of tokens, and (iii) a graph neural network (GNN) operating on code as a graph. We use these models for vulnerability detection over three different datasets, in each case observing lack of signal awareness and subsequent enhancement with our approaches, while maintaining model classification performance. In our experiments, we use the Infer tool [32] to verify bug existence in the reduced samples. However, our approaches are independent of the specific bug-checker being employed (alternatives in Sections 7.3 and 8.3).

This article is an extension of our previous work [104], which presented our prediction-preserving input minimization (P2IM) approach to uncover the reliance of AI models of source code on task-irrelevant signals. Continuing along the AI model reliability theme, in this extended version, we build atop the findings of P2IM model-probing, to assist model learning. While P2IM uncovered a lack of signal awareness in AI models of code while hinting toward models’ reliance on task-irrelevant features, in this follow-up work, we focus on improving model reliability and trustworthiness. Specifically, we incorporate the concept of code complexity in model training, and introduce two approaches to improve model signal awareness, using the signal-aware recall (SAR) metric developed with P2IM. In this resulting work as well, we stick with the data-driven and SE-driven model exploration principles developed in P2IM. Additionally, in our previous position paper [105], we presented a categorization of the various reliability issues affecting AI models of code into the different stages of an AI pipeline, and called for efforts from the research community to ensure model quality. In this article, we concretize our early ideas on model accountability and traceability.

The main contributions of our overall work are as follows:

This article is organized as follows. We first discuss our motivation behind this work in Section 2, and then present a brief background on AI models for source code, as well as the Delta Debugging technique, in Section 3. Then, we present the details of our approaches in Section 4. Section 5 describes the experiment configuration, while Section 6 presents the results of our model signal awareness measurement, enhancement and introspection. Sections 7, 8, and 9 cover relevant discussions, threats to validity, and practical implications of our work, respectively. Section 10 covers related work, and finally Section 11 concludes this article.

The rapid proliferation of AI for source code understanding is leading to ever more sophisticated models, which are getting bigger and better with each successive iteration. Accompanying their rapid proliferation is an emerging scrutiny over the models’ reliability along multiple dimensions such as data duplication bias and labeling quality amongst others [3, 17, 53]. We have been experimenting with the state of the art to assess its quality from a practical perspective. We noticed that the models seem to suffer from weak generalizability and robustness—known AI frailties. These concerns become ever more important if the models are to be applied to sensitive tasks, such as ensuring code security. We observed the same weakness across several different models and datasets in a vulnerability detection setting, which led us to doubt the quality of the models in terms of what is it that they are actually learning. We thus started exploring ways to probe the models’ signal awareness.

Signal awareness is different than correctness—a model can learn a perfect separator between buggy and healthy code, but it can very well arrive at the separator by picking up dataset nuances, as opposed to real vulnerability signals. This can be caused when, for example, the model picks up unexpected correlations between code samples and sample lengths, or variable names, or certain programming constructs, which may happen to differ for buggy and healthy samples in a particular dataset. Learning a separator based on these non-representative signals, which may lead to great-looking performance numbers, is perfectly acceptable from a model’s perspective. The model is indeed doing its job of learning to classify, but this provides a false sense of security.

Signal-awareness or verifying if the models are learning the correct logic relevant to code analysis is crucial to generate trust in models if they are to be put into the field in competition to, or alongside, traditional static and dynamic analyzers. Furthermore, it adds an important measure of model quality, beyond the traditional statistical analysis measures, which can more fairly compare and guide improvements across model evolutions. In this work, we uncover this signal-awareness aspect of AI models of code, and quantify how much impact it has on their robustness as well as reported performance numbers.

A typical example of weak robustness is when an image classifier’s verdict on an input image changes on adding minor noise to the image imperceptible to the naked eye [16, 39, 106]. As shown in Figure 1, we observe the same issue with AI models of vulnerability detection, where even a 99 F1 model flips its prediction on only slightly different code variants. However, it should be reasonable to expect a high-quality model, which correctly picks up the real vulnerability signals, to demonstrate prediction robustness, if it is ever to be trusted in a practical security setting. Although such “perturbations” can be taken to be an adversarial attack on the model [16, 39, 106, 118], and similarly there can be defenses against such attacks such as training the model with several different code variants. But, this line of thought is complementary to our work. These observations merely triggered our suspicion around a disconnect between the reported model performance numbers versus the actual task-aware learning, similar in spirit to other prevailing doubts regarding model quality [3, 18, 53].

Our goal is not to discredit AI models of code by reiterating their brittleness, but to uncover and quantify how much impact task-agnostic training has on their reported performance numbers. Our hope is that revealing these shortcomings would motivate future research toward more task-aware learning, potentially guided by the SAR-Recall divide. We believe in the potential of AI for source code understanding to overcome this “weakness” of lacking signal-awareness with appropriate “guidance” during training. The model itself is doing its job well, learning how best to separate samples based on available input features, to reach a local minima in the loss landscape. But, as shown in Figure 2, there can exist other local minima in this landscape, which can offer similar model performance, but which rely on features more in sync with the task expectation. If we can somehow nudge the model to reach an alternate minima, while using domain-specific assistance, then perhaps the model’s signal awareness can be improved. This issue is widely seen in ML, and is typically solved by white-box or domain-specific approaches such as robust training and adversarial training [12, 38, 76, 124]. In this work, we explore code-centric, data-driven approaches to assist AI models of code in focusing more on task-relevant aspects of source code. We do this by leveraging SE techniques to transform the training data, incorporating the notion of complexity of code into model learning.

In this section, we first briefly describe three different neural network models that have been popularly employed for learning over source code, each operating at a different code representation. These include (i) a convolutional neural network treating code as a photo, (ii) a recurrent neural network treating code as a linear sequence of tokens, and (iii) a graph neural network operating on code as a graph. Later, we shall evaluate the signal awareness of these models, and its subsequent enhancement with our techniques, using our proposed SAR metric. After the model descriptions, we cover the basics of the Delta Debugging technique [123], which we use to reduce the input program samples to measure the models’ signal-awareness, and also to simplify the samples for our augmentation technique. Finally, we briefly describe the concept of Curriculum Learning, which we use in our complexity-ranked training approach.

Figure 3 (Section 1) presents a high-level overview of all our data-driven approaches co-existing within the typical AI modeling pipeline. Specifically, we add one model probing approach, two model assistance approaches and one model introspection approach to the pipeline. As shown in the Figure, our augmentation technique resides in the dataset curation phase, expanding the training set with simplified programs. Next in the pipeline resides our complexity-ranking approach, applicable during the model training phase, and operating atop either the original dataset or the augmented dataset, independently. Finally, once the model has been trained, either via generic training or complexity-ranked training, our model probing and introspection approaches come into play. The former measures the model signal awareness, while the latter deduces its learning behavior, respectively. All approaches can exist independently of each other, with the next section presenting a brief overview of each of them. Then, in the subsequent sections, we present the details of our model probing approach, followed by the model learning assistance approaches, and finally the introspection approach.

We now describe the setup we use, in terms of the datasets, models, and metrics, for evaluating our approaches.

The ready availability of large code bases to train upon, and the machine learning success in natural language understanding, have promoted the entry of AI into the source code analysis space. AI promises to understand the semantics of the code and alleviate the shortcomings of traditional code analysis approaches. There has been a rapid proliferation of AI models for source code understanding, and they have already started making there way into application deployment workflows, such as code scanning for security verification [107]. However, as we we have shown in this work, AI models of code, despite their high F1 and accuracy scores, are actually not learning task-relevant source code features. Our observations augment the recent concerns regarding the quality of AI models of code [3, 18, 53], motivating a call for their reliability to be verified, before offsetting the similarly-scrutinized traditional code analysis toolchain.

This has implications for both software developers adopting the models for code analysis, as well as researchers creating the AI models of code. Sub-par results, if any, of such quality checks can, for example, help the former decide whether the tremendous amount of resources, which model training increasingly consumes [15, 49], are better utilized for other kinds of code analysis or testing, such as fuzzing the application longer to catch more bugs. However, we believe that a concerted effort from the research community to acknowledge and resolve these model reliability concerns will go a long way in better utilizing the potential of AI for source code understanding.

Our work augments the common metrics toolbox of model quality measurement (e.g., F1 and accuracy) with a quantitative measure of model reliability and trustworthiness—our SAR metric to measure model signal awareness. Building atop this, we highlight the potential of AI for source code understanding, by presenting data-driven and SE-assisted techniques to improve model learning quality. We hope our work motivates future research toward ensuring accountability for more task-aware learning, potentially guided by the SAR-Recall divide, as well as traceability in terms of analyzing behavioral trends across data affecting model performance.

In the software engineering community, efforts have been made to detect vulnerabilities by isolating relevant statements using program-slicing-based techniques [46, 96, 108, 116]. Essentially, the main idea of such approaches is to identify the subsets of the program that introduce the defects. Recently, program slicing has also been used in AI-assisted vulnerability detection tasks [69] to extract bug relevant programming constructs. If a vulnerability detection model can capture the real signals, then it should be able to identify such subsets too. In this work, we treat models as black boxes and feed them with different subsets of a program to evaluate how well they pick up the real signals. And to efficiently and systematically generate the subsets, we borrow a popular fault isolation technique of Delta Debugging.

The most relevant work using Delta Debugging (DD) and its variant methods is software failure diagnosis and isolation [43, 79, 122, 123]. The main advantage of DD is that it can significantly reduce the number of tests needed to locate the problem. To the best of our knowledge, our approach is the first attempt of using DD to interpret and compare models’ signal awareness. A recent parallel effort [87] also uses DD to minimize inputs to AI models on software engineering tasks. Its focus is on the qualitative properties of the reduced code samples, as opposed to our SAR-based quantification of the impact of signal-agnostic training on the models’ reported performance numbers.

Our P2IM approach can be viewed as belonging to the metamorphic testing paradigm [21], applied to AI models [48, 130]. In particular, based on an input code snippet and its prediction by a model under test, we systematically construct new “tests” by minimizing the original snippet and make sure the model produces the same prediction as the original input. Then, we check the metamorphic relations among the inputs and output predictions of multiple executions. A test violation can be detected if the original input and its minimal version do not have the same vulnerability. With the same intuition as seen in ChiMerge [56] that learns discretization schemes of intervals dynamically while the \(\chi ^2\) statistics of each discretized group remain significant, we progressively group and merge inputs that are output-dependent or output-independent. Thus, while ChiMerge is a statistical way of range testing, we use the SE technique of DD as illustrated in Figure 6.

With regard to model robustness and reliability research in deep learning, metrics have been proposed for distance ratio among samples in the same class and in all other classes [54]. This is based on the intuition that, for a reliable model, inputs in the same class should be closer to each other in the model’s latent space, as compared to inputs in the other class. Extensive research has also contributed to constructing sophisticated attack/defense methods and evaluating accuracy under \(\ell _{p}\)-norms bounded adversarial perturbations [31, 39, 62, 76, 80, 97]. Different from current metrics, we directly probe the existence of true signals inside the models’ 1-minimal representations. To the best of our knowledge, our metric SAR is the first of its kind to evaluate deep learning models’ signal awareness in this domain.

Our method augments the common metrics toolbox with an alternative way to examine the model quality, giving reliability and trustworthiness to black-box AI models. P2IM brings in multiple enhancements as compared to popular perturbation-based model interpretability methods that work on individual input instances, such as LIME [90] and others as summarized in a recent survey [27]. While other approaches are able to derive parts of an input that contribute most to the model’s final prediction, unlike our method, they cannot tell if the highlighted parts are the correct task-relevant signals. Another contrasting capability P2IM offers is to quantify how well a model learns the correct signals, thereby providing a signal-aware mechanism to compare different models. This is especially useful when competing models have comparable performance on traditional metrics (e.g., F1). Furthermore, the search space, and thus the time complexity, for such approaches can be huge, given the possible combinations of the different parts of the inputs to be explored. Thanks to the DD algorithm, P2IM directly minimizes the input, significantly accelerating the search for the relevant parts of the input.

In addition to our model-probing approach, we also present model-assistance approaches to improve the models’ signal awareness. We do this by simplifying the training set samples using DD, and augmenting them back into the training mix. Augmentation methods are popular in AI in general, including domain-specific approaches such as image transformations [98], text transformations [14], data-driven approaches such as SMOTE [19], formal and empirical augmentation [63, 120], amongst others. Complementary to these approaches, our augmentation approach is focused specifically toward improving the signal awareness of source code models. A key difference is that general AI approaches usually assume the input under augmentation would keep the original labels, since it is extremely hard to check for images and texts without huge manual effort, while this assumption may not always be true. Our approach utilizes the benefits of working in the well-defined source code space; therefore, we can assure the validity and correctness of our code augmentation. In the context of vulnerability detection, preserving existing bugs while generating simplified programs is the key difference in our approach. This is in contrast to existing source-level bug-seeding-based augmentation methods, which can lead to previously unseen bugs [13, 29, 78, 84, 86, 91, 112].

Our second approach to improving model signal awareness combines code complexity with curriculum learning (CL) [10, 40, 44]. While CL has previously been applied using general complexity measures of images and texts to rank training samples in the vision and natural language domains, we use code-specific complexity measures to tailor the models toward source code understanding. Different to CL, which is data-driven, denoising approaches used in BART [65] and PLBART [2] are usually built into the model’s pretraining process, and assist model learning by mapping noisy input to noise-less input. The pretraining tasks involve text/code generation while the input sequence is randomly shuffled and blocks of tokens are masked. It requires model specific tuning and task design, whereas CL, and thus our complexity-ranked training approach, is model and task agnostic.

Finally, we also use the notion of code complexity to introspect model learning. Existing explanation approaches tend to use white-box model internals to add some transparency into the model logic. This includes probing the model’s gradient [94, 99, 102, 128] to highlight input regions most influencing the model’s prediction, or fitting interpretable surrogate models to approximate the deep learning model’s behavior [42, 75, 90], and then using the surrogate to derive the feature importance ranking for the input. The approximate nature of such mappings, from the model side back to the data, can make them misleading [1]. The prevalence of Transformer-based models, exemplified by CodeBERT [33] and CodeX [20], has given rise to the exploration of their explanation generation. Similar to existing methods, the explanation of Transformer-based models can be accomplished by means of gradient-based perturbation [24]; however, due to the discreteness of the input, the discrete search space poses a formidable obstacle for efficient explanation generation. Based on the Transformer’s attention mechanism, DietCode [126] leveraged the attention weights of the Transformer and demonstrated that discarding tokens with insignificant attention weights would result in negligible impact on the final model prediction, hence large attention weight should be considered equivalent to high importance. Nevertheless, it has been pointed out that attention is not explanation [52]; in fact, learned attention weights often display little correlation with gradient-based measures of feature significance, and it is possible to observe varying attention distributions that lead to the same predictions. Explanation methods have also been created for graphical neural networks, attributing importance to graph nodes and edges by using attention mechanisms [114, 115], or via maximizing mutual information between inputs and outputs [119]. Our model learning introspection approach is complementary to these explanation approaches as it treats models as black boxes, deducing model learning from the dataset’s perspective, based on concretely defined characteristics of source code. This empowers our approach to offer more code-centric and developer-friendly insights. This is in contrast to certain other approximation-based black-box explanation approaches [87], which do not require the inputs to remain natural or valid. Furthermore, unlike our work, these do not tie source code constructs to model signal awareness.

Using SE concepts, we developed data-driven approaches to assist AI models of code in learning task-relevant aspects of source code better. We first presented a prediction-preserving input minimization approach to probe the signal awareness of the models. We formulated a new metric to measure task-relevant learning—Signal-aware Recall (SAR), augmenting the common metrics toolbox with a signal-aware alternative to model quality measurement. SAR measurement enables asserting trust and reliability to black-box AI models. Results show a significant lack of signal awareness in the current models, across architectures and datasets. SAR amounting to only less than half of Recall, suggests that the models are presumably learning a lot of noises or dataset nuances, as opposed to capturing task-specific signals. To enhance model signal-awareness, we incorporated the notion of complexity of source code into model training. We achieved significant improvements with our complexity-ranked training and program-simplification-based augmentation approaches, while maintaining model performance. We carried the notion of complexity into model introspection, and presented code-centric insights into black-box model learning. Moving forward, we look to explore active learning approaches, helping the model with targeted SE-assistance, e.g., picking specific samples for augmentation where the model is facing difficulty learning.