On the Consistency of GNN Explanations for Malware Detection
This work addresses the problem of interpretable malware detection for cybersecurity practitioners, but it is incremental as it builds on existing GNN and explainability techniques.
The study tackled malware detection using Control Flow Graphs (CFGs) with Graph Neural Networks (GNNs), proposing a framework that dynamically constructs CFGs and embeds node features, and introduced RankFusion to aggregate explainer outputs, achieving effective malware identification and reliable explanations as demonstrated by accuracy, fidelity, and consistency metrics.
Control Flow Graphs (CFGs) are critical for analyzing program execution and characterizing malware behavior. With the growing adoption of Graph Neural Networks (GNNs), CFG-based representations have proven highly effective for malware detection. This study proposes a novel framework that dynamically constructs CFGs and embeds node features using a hybrid approach combining rule-based encoding and autoencoder-based embedding. A GNN-based classifier is then constructed to detect malicious behavior from the resulting graph representations. To improve model interpretability, we apply state-of-the-art explainability techniques, including GNNExplainer, PGExplainer, and CaptumExplainer, the latter is utilized three attribution methods: Integrated Gradients, Guided Backpropagation, and Saliency. In addition, we introduce a novel aggregation method, called RankFusion, that integrates the outputs of the top-performing explainers to enhance the explanation quality. We also evaluate explanations using two subgraph extraction strategies, including the proposed Greedy Edge-wise Composition (GEC) method for improved structural coherence. A comprehensive evaluation using accuracy, fidelity, and consistency metrics demonstrates the effectiveness of the proposed framework in terms of accurate identification of malware samples and generating reliable and interpretable explanations.