Questions on sub-ePDG depth and normalization

[yunhao-qian]

Hi, thank you for the excellent paper and open sourcing of the project. I am working on a new project that modifies and uses your code, and here are two questions I have.

1. I notice a depth_limit option for controlling the depth of sub-ePDGs at runtime, but this option is unused in the hector train command line, which means that the sub-ePDG of a manifestation point always includes all its predecessor nodes. There might be situations where a malicious sub-ePDG is a subgraph of another sub-ePDG labelled benign. Are these situations expected, or we should avoid them early in the data preprocessing step?
2. The VulChecker paper mentioned a batch normalization layer between the GNN and the MLP classifier, while model.py has an orphan BatchNorm module left unused. Was there any reason behind that change? Or has it been replaced because the normalization performed by hector feature_stats achieves a similar goal?

[gmacon]

1. The depth_limit is set in hector train, but by a somewhat convoluted path: a Predictor is constructed with the parameter embedding_steps set from the command line option --embedding-steps (default value: 4), and then predictor.depth_limit is passed to TrainingData.from_parameters. In the Predictor, the depth_limit attribute is defined to just expose the embedding_steps paramter.
2. My memory on this point is a little vague, but I believe the intent was to replace the batch normalization in the model with an ahead-of-time normalization that happens during data loading. Based on that, I think the unused BatchNorm module was left in by mistake.

[ulysseyson]

In my opinion, the question for question 1 was insufficiently answered.
I still don't know if we should avoid the problem that a malicious sub-ePDG may be a subgraph of another benign sub-ePDG.

Is the reason you didn't go deep into the problem that the sampling step may contain a malicious sub-ePDG, because you trust the manifestation_distance you set in the sampling step? Which is the feature that tells model should not concentrate on inside malicious manifestation node.

[gmacon]

The question is not really "is this graph buggy"; the question is "is there a bug at this manifestation point?" so I don't think it matters if the bug is only a subgraph of the graph in consideration: it's buggy either way.

[ulysseyson]

That's right. Anyway the s2v captures the difference between malicious end and benign end.

I think that is awesome point of ML.