Explainable Attention-Guided Stacked Graph Neural Networks for Malware Detection

TL;DR

This paper introduces a stacking ensemble of diverse graph neural networks for malware detection that enhances accuracy and interpretability by combining multiple models and providing edge-level explanations of decisions.

Contribution

It proposes a novel ensemble framework with an attention-based meta-learner and an explainability technique for graph-based malware detection, improving both performance and interpretability.

Findings

Improved malware classification accuracy.

Effective edge-level explanations of model decisions.

Enhanced interpretability with ensemble-aware explanations.

Abstract

Malware detection in modern computing environments demands models that are not only accurate but also interpretable and robust to evasive techniques. Graph neural networks (GNNs) have shown promise in this domain by modeling rich structural dependencies in graph-based program representations such as control flow graphs (CFGs). However, single-model approaches may suffer from limited generalization and lack interpretability, especially in high-stakes security applications. In this paper, we propose a novel stacking ensemble framework for graph-based malware detection and explanation. Our method dynamically extracts CFGs from portable executable (PE) files and encodes their basic blocks through a two-step embedding strategy. A set of diverse GNN base learners, each with a distinct message-passing mechanism, is used to capture complementary behavioral features. Their prediction outputs are aggregated by a meta-learner implemented as an attention-based multilayer perceptron, which both classifies malware instances and quantifies the contribution of each base model. To enhance explainability, we introduce an ensemble-aware post-hoc explanation technique that leverages edge-level importance scores generated by a GNN explainer and fuses them using the learned attention weights. This produces interpretable, model-agnostic explanations aligned with the final ensemble decision. Experimental results demonstrate that our framework improves classification performance while providing insightful interpretations of malware behavior.