Despite the successes of machine learning (ML) and deep learning (DL) based
vulnerability detectors (VD), they are limited to providing only the decision
on whether a given code is vulnerable or not, without details on what part of
the code is relevant to the detected vulnerability. We present IVDetect an
interpretable vulnerability detector with the philosophy of using Artificial
Intelligence (AI) to detect vulnerabilities, while using Intelligence Assistant
(IA) via providing VD interpretations in terms of vulnerable statements.
For vulnerability detection, we separately consider the vulnerable statements
and their surrounding contexts via data and control dependencies. This allows
our model better discriminate vulnerable statements than using the mixture of
vulnerable code and~contextual code as in existing approaches. In addition to
the coarse-grained vulnerability detection result, we leverage interpretable AI
to provide users with fine-grained interpretations that include the sub-graph
in the Program Dependency Graph (PDG) with the crucial statements that are
relevant to the detected vulnerability. Our empirical evaluation on
vulnerability databases shows that IVDetect outperforms the existing DL-based
approaches by 43%–84% and 105%–255% in top-10 nDCG and MAP ranking scores.
IVDetect correctly points out the vulnerable statements relevant to the
vulnerability via its interpretation~in 67% of the cases with a top-5 ranked
list. It improves over baseline interpretation models by 12.3%–400% and
9%–400% in accuracy.