Explainable Attention-Guided Stacked Graph Neural Networks for Malware Detection
- URL: http://arxiv.org/abs/2508.09801v2
- Date: Thu, 14 Aug 2025 20:12:03 GMT
- Title: Explainable Attention-Guided Stacked Graph Neural Networks for Malware Detection
- Authors: Hossein Shokouhinejad, Roozbeh Razavi-Far, Griffin Higgins, Ali A Ghorbani,
- Abstract summary: We propose a novel stacking ensemble framework for graph-based malware detection and explanation.<n>Our framework improves classification performance while providing insightful interpretations of malware behavior.
- Score: 2.6436521007616114
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Malware detection in modern computing environments demands models that are not only accurate but also interpretable and robust to evasive techniques. Graph neural networks (GNNs) have shown promise in this domain by modeling rich structural dependencies in graph-based program representations such as control flow graphs (CFGs). However, single-model approaches may suffer from limited generalization and lack interpretability, especially in high-stakes security applications. In this paper, we propose a novel stacking ensemble framework for graph-based malware detection and explanation. Our method dynamically extracts CFGs from portable executable (PE) files and encodes their basic blocks through a two-step embedding strategy. A set of diverse GNN base learners, each with a distinct message-passing mechanism, is used to capture complementary behavioral features. Their prediction outputs are aggregated by a meta-learner implemented as an attention-based multilayer perceptron, which both classifies malware instances and quantifies the contribution of each base model. To enhance explainability, we introduce an ensemble-aware post-hoc explanation technique that leverages edge-level importance scores generated by a GNN explainer and fuses them using the learned attention weights. This produces interpretable, model-agnostic explanations aligned with the final ensemble decision. Experimental results demonstrate that our framework improves classification performance while providing insightful interpretations of malware behavior.
Related papers
- Towards Transparent Malware Detection With Granular Explainability: Backtracking Meta-Coarsened Explanations Onto Assembly Flow Graphs With Graph Neural Networks [4.437835658886064]
We propose Assembly Flow Graph (AFG) to represent the assembly flow of a binary executable as graph data.<n>AFG can be used to extract granular explanations needed to increase transparency for malware detection using Graph Neural Networks (GNNs)<n>We also propose a Meta-Coarsening approach to improve computational tractability via graph reduction.
arXiv Detail & Related papers (2026-01-20T22:05:07Z) - Dual Explanations via Subgraph Matching for Malware Detection [2.6436521007616114]
Interpretable malware detection is crucial for understanding harmful behaviors and building trust in automated security systems.<n>Traditional explainable methods for Graph Neural Networks (GNNs) often highlight important regions within a graph but fail to associate them with known benign or malicious behavioral patterns.<n>We introduce a novel dual prototype-driven explainable framework that interprets GNN-based malware detection decisions.
arXiv Detail & Related papers (2025-04-29T16:20:28Z) - On the Consistency of GNN Explanations for Malware Detection [2.464148828287322]
Control Flow Graphs (CFGs) are critical for analyzing program execution and characterizing malware behavior.<n>This study proposes a novel framework that dynamically constructs CFGs and embeds node features using a hybrid approach.<n>A GNN-based classifier is then constructed to detect malicious behavior from the resulting graph representations.
arXiv Detail & Related papers (2025-04-22T23:25:12Z) - Beyond Message Passing: Neural Graph Pattern Machine [50.78679002846741]
We introduce the Neural Graph Pattern Machine (GPM), a novel framework that bypasses message passing by learning directly from graph substructures.<n>GPM efficiently extracts, encodes, and prioritizes task-relevant graph patterns, offering greater expressivity and improved ability to capture long-range dependencies.
arXiv Detail & Related papers (2025-01-30T20:37:47Z) - Revisiting Graph Neural Networks on Graph-level Tasks: Comprehensive Experiments, Analysis, and Improvements [54.006506479865344]
We propose a unified evaluation framework for graph-level Graph Neural Networks (GNNs)<n>This framework provides a standardized setting to evaluate GNNs across diverse datasets.<n>We also propose a novel GNN model with enhanced expressivity and generalization capabilities.
arXiv Detail & Related papers (2025-01-01T08:48:53Z) - Explainable Malware Detection through Integrated Graph Reduction and Learning Techniques [2.464148828287322]
Control Flow Graphs and Function Call Graphs have become pivotal in providing a detailed understanding of program execution.<n>These graph-based representations, when combined with Graph Neural Networks (GNN), have shown promise in developing high-performance malware detectors.<n>This paper addresses these issues by developing several graph reduction techniques to reduce graph size and applying the state-of-the-art GNNExplainer to enhance the interpretability of GNN outputs.
arXiv Detail & Related papers (2024-12-04T18:59:45Z) - Interpreting GNN-based IDS Detections Using Provenance Graph Structural Features [15.256262257064982]
We introduce PROVEXPLAINER, a framework offering instance-level security-aware explanations using an interpretable surrogate model.<n>On malware and APT datasets, PROVEXPLAINER achieves up to 29%/27%/25% higher fidelity+, precision and recall, and 12% lower fidelity- respectively.
arXiv Detail & Related papers (2023-06-01T17:36:24Z) - DEGREE: Decomposition Based Explanation For Graph Neural Networks [55.38873296761104]
We propose DEGREE to provide a faithful explanation for GNN predictions.
By decomposing the information generation and aggregation mechanism of GNNs, DEGREE allows tracking the contributions of specific components of the input graph to the final prediction.
We also design a subgraph level interpretation algorithm to reveal complex interactions between graph nodes that are overlooked by previous methods.
arXiv Detail & Related papers (2023-05-22T10:29:52Z) - Structural Explanations for Graph Neural Networks using HSIC [21.929646888419914]
Graph neural networks (GNNs) are a type of neural model that tackle graphical tasks in an end-to-end manner.
The complicated dynamics of GNNs make it difficult to understand which parts of the graph features contribute more strongly to the predictions.
In this study, a flexible model agnostic explanation method is proposed to detect significant structures in graphs.
arXiv Detail & Related papers (2023-02-04T09:46:47Z) - Software Vulnerability Detection via Deep Learning over Disaggregated
Code Graph Representation [57.92972327649165]
This work explores a deep learning approach to automatically learn the insecure patterns from code corpora.
Because code naturally admits graph structures with parsing, we develop a novel graph neural network (GNN) to exploit both the semantic context and structural regularity of a program.
arXiv Detail & Related papers (2021-09-07T21:24:36Z) - Model-Agnostic Graph Regularization for Few-Shot Learning [60.64531995451357]
We present a comprehensive study on graph embedded few-shot learning.
We introduce a graph regularization approach that allows a deeper understanding of the impact of incorporating graph information between labels.
Our approach improves the performance of strong base learners by up to 2% on Mini-ImageNet and 6.7% on ImageNet-FS.
arXiv Detail & Related papers (2021-02-14T05:28:13Z) - Amortized Probabilistic Detection of Communities in Graphs [39.56798207634738]
We propose a simple framework for amortized community detection.
We combine the expressive power of GNNs with recent methods for amortized clustering.
We evaluate several models from our framework on synthetic and real datasets.
arXiv Detail & Related papers (2020-10-29T16:18:48Z) - Information Obfuscation of Graph Neural Networks [96.8421624921384]
We study the problem of protecting sensitive attributes by information obfuscation when learning with graph structured data.
We propose a framework to locally filter out pre-determined sensitive attributes via adversarial training with the total variation and the Wasserstein distance.
arXiv Detail & Related papers (2020-09-28T17:55:04Z) - Graph Backdoor [53.70971502299977]
We present GTA, the first backdoor attack on graph neural networks (GNNs)
GTA departs in significant ways: it defines triggers as specific subgraphs, including both topological structures and descriptive features.
It can be instantiated for both transductive (e.g., node classification) and inductive (e.g., graph classification) tasks.
arXiv Detail & Related papers (2020-06-21T19:45:30Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.