Dual Explanations via Subgraph Matching for Malware Detection
This work addresses the need for behavior-aligned explanations in automated security systems, offering an incremental improvement over traditional GNN explainers.
The paper tackles the problem of interpretable malware detection by introducing a dual prototype-driven explainable framework that integrates a base explainer with a novel SubMatch explainer using subgraph matching, resulting in preserved high detection performance and significantly improved interpretability.
Interpretable malware detection is crucial for understanding harmful behaviors and building trust in automated security systems. Traditional explainable methods for Graph Neural Networks (GNNs) often highlight important regions within a graph but fail to associate them with known benign or malicious behavioral patterns. This limitation reduces their utility in security contexts, where alignment with verified prototypes is essential. In this work, we introduce a novel dual prototype-driven explainable framework that interprets GNN-based malware detection decisions. This dual explainable framework integrates a base explainer (a state-of-the-art explainer) with a novel second-level explainer which is designed by subgraph matching technique, called SubMatch explainer. The proposed explainer assigns interpretable scores to nodes based on their association with matched subgraphs, offering a fine-grained distinction between benign and malicious regions. This prototype-guided scoring mechanism enables more interpretable, behavior-aligned explanations. Experimental results demonstrate that our method preserves high detection performance while significantly improving interpretability in malware analysis.