Transparent Malware Detection With Granular Assembly Flow Explainability via Graph Neural Networks

TL;DR

This paper introduces a novel graph-based method for malware detection that enhances transparency by providing granular explanations through Graph Neural Networks, using assembly flow graphs and a graph reduction technique.

Contribution

It proposes Assembly Flow Graphs and a Meta-Coarsening approach for improved explainability and efficiency in malware detection with GNNs, a first in granular explainability for this domain.

Findings

AFG effectively represents binary execution flow.

Meta-Coarsening improves computational efficiency.

Enhanced explainability without sacrificing detection accuracy.

Abstract

As malware continues to become increasingly sophisticated, threatening, and evasive, malware detection systems must keep pace and become equally intelligent, powerful, and transparent. In this paper, we propose Assembly Flow Graph (AFG) to comprehensively represent the assembly flow of a binary executable as graph data. Importantly, AFG can be used to extract granular explanations needed to increase transparency for malware detection using Graph Neural Networks (GNNs). However, since AFGs may be large in practice, we also propose a Meta-Coarsening approach to improve computational tractability via graph reduction. To evaluate our proposed approach we consider several novel and existing metrics to quantify the granularity and quality of explanations. Lastly, we also consider several hyperparameters in our proposed Meta-Coarsening approach that can be used to control the final explanation size. We evaluate our proposed approach using the CIC-DGG-2025 dataset. Our results indicate that our proposed AFG and Meta-Coarsening approach can provide both increased explainability and inference performance at certain coarsening levels. However, most importantly, to the best of our knowledge, we are the first to consider granular explainability in malware detection using GNNs.