**Coca: Improving and Explaining Graph Neural Network-Based Vulnerability Detection Systems** **Authors:** Siong Cao **Abstract:** Graph Neural Network (GNN)-based vulnerability detection systems have shown significant success, but their lack of explainability poses a critical challenge for deployment in security domains. This paper introduces Coca, a framework designed to enhance the robustness of GNN-based models and provide more effective and concise explanations for detected vulnerabilities. Coca consists of two core components: Trainer and Explainer. The Trainer uses combinatorial contrastive learning to train a robust detection model, while the Explainer employs dual-view causal inference to derive crucial code statements that are most decisive for the detected vulnerability. Experimental results on three state-of-the-art GNN-based detectors demonstrate that Coca effectively mitigates spurious correlations and provides high-quality explanations. **Key Contributions:** 1. **Enhanced Robustness:** Coca enhances the robustness of GNN-based models to random perturbations, avoiding spurious explanations. 2. **Effective and Concise Explanations:** Coca provides both concise and effective explanations by integrating factual and counterfactual reasoning. 3. **Model-Agnostic:** The framework is applicable to any GNN-based vulnerability detector without requiring specific adaptations. **Experiments:** - **Detection Performance:** Coca significantly improves the detection accuracy and robustness of GNN-based models. - **Explanation Performance:** Coca outperforms state-of-the-art explainers in terms of effectiveness and conciseness. - **Ablation Study:** The effectiveness of combinatorial contrastive learning and dual-view causal inference is validated through ablation studies. **Conclusion:** Coca addresses the challenges of explainability in GNN-based vulnerability detection systems, providing a robust and explainable solution for security practitioners.**Coca: Improving and Explaining Graph Neural Network-Based Vulnerability Detection Systems** **Authors:** Siong Cao **Abstract:** Graph Neural Network (GNN)-based vulnerability detection systems have shown significant success, but their lack of explainability poses a critical challenge for deployment in security domains. This paper introduces Coca, a framework designed to enhance the robustness of GNN-based models and provide more effective and concise explanations for detected vulnerabilities. Coca consists of two core components: Trainer and Explainer. The Trainer uses combinatorial contrastive learning to train a robust detection model, while the Explainer employs dual-view causal inference to derive crucial code statements that are most decisive for the detected vulnerability. Experimental results on three state-of-the-art GNN-based detectors demonstrate that Coca effectively mitigates spurious correlations and provides high-quality explanations. **Key Contributions:** 1. **Enhanced Robustness:** Coca enhances the robustness of GNN-based models to random perturbations, avoiding spurious explanations. 2. **Effective and Concise Explanations:** Coca provides both concise and effective explanations by integrating factual and counterfactual reasoning. 3. **Model-Agnostic:** The framework is applicable to any GNN-based vulnerability detector without requiring specific adaptations. **Experiments:** - **Detection Performance:** Coca significantly improves the detection accuracy and robustness of GNN-based models. - **Explanation Performance:** Coca outperforms state-of-the-art explainers in terms of effectiveness and conciseness. - **Ablation Study:** The effectiveness of combinatorial contrastive learning and dual-view causal inference is validated through ablation studies. **Conclusion:** Coca addresses the challenges of explainability in GNN-based vulnerability detection systems, providing a robust and explainable solution for security practitioners.