Explainable Malware Detection through Integrated Graph Reduction and Learning Techniques

TL;DR

This paper introduces a malware detection method that combines graph reduction techniques with explainable GNNs to improve efficiency and interpretability of malware classification.

Contribution

It proposes novel graph reduction methods and integrates GNNExplainer to enhance transparency and efficiency in malware detection using graph neural networks.

Findings

Reduced graph size without losing detection accuracy

Enhanced interpretability of GNN decisions

Maintained high performance with improved efficiency

Abstract

Control Flow Graphs and Function Call Graphs have become pivotal in providing a detailed understanding of program execution and effectively characterizing the behavior of malware. These graph-based representations, when combined with Graph Neural Networks (GNN), have shown promise in developing high-performance malware detectors. However, challenges remain due to the large size of these graphs and the inherent opacity in the decision-making process of GNNs. This paper addresses these issues by developing several graph reduction techniques to reduce graph size and applying the state-of-the-art GNNExplainer to enhance the interpretability of GNN outputs. The analysis demonstrates that integrating our proposed graph reduction technique along with GNNExplainer in the malware detection framework significantly reduces graph size while preserving high performance, providing an effective balance between efficiency and transparency in malware detection.