Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Explainable Malware Detection with Tailored Logic Explained Networks

Peter Anthony, Francesco Giannini, Michelangelo Diligenti, Martin Homola, Marco Gori, Stefan Balogh, Jan Mojzis

TL;DR

The paper tackles the need for accurate and explainable malware detection amid rapidly evolving threats. It adopts Logic Explained Networks (LENs) to produce interpretable First-Order Logic explanations while maintaining competitive accuracy on the EMBER dataset. A new Tailored-LEN method uses a line-search to optimize the aggregation of local explanations, improving fidelity and reducing complexity relative to prior LEN variants. Empirical results show LENs achieve approximately 92% accuracy with feature-subset configurations and remain competitive with state-of-the-art black-box models, while delivering interpretable, verifiable rules; this advances trustworthy, auditable malware classifiers suitable for security-critical applications. Overall, the approach demonstrates that explainable neural models can match strong performance on large-scale malware data and offer actionable explanations for practitioners and regulators alike.

Abstract

Malware detection is a constant challenge in cybersecurity due to the rapid development of new attack techniques. Traditional signature-based approaches struggle to keep pace with the sheer volume of malware samples. Machine learning offers a promising solution, but faces issues of generalization to unseen samples and a lack of explanation for the instances identified as malware. However, human-understandable explanations are especially important in security-critical fields, where understanding model decisions is crucial for trust and legal compliance. While deep learning models excel at malware detection, their black-box nature hinders explainability. Conversely, interpretable models often fall short in performance. To bridge this gap in this application domain, we propose the use of Logic Explained Networks (LENs), which are a recently proposed class of interpretable neural networks providing explanations in the form of First-Order Logic (FOL) rules. This paper extends the application of LENs to the complex domain of malware detection, specifically using the large-scale EMBER dataset. In the experimental results we show that LENs achieve robustness that exceeds traditional interpretable methods and that are rivaling black-box models. Moreover, we introduce a tailored version of LENs that is shown to generate logic explanations with higher fidelity with respect to the model's predictions.

Explainable Malware Detection with Tailored Logic Explained Networks

TL;DR

The paper tackles the need for accurate and explainable malware detection amid rapidly evolving threats. It adopts Logic Explained Networks (LENs) to produce interpretable First-Order Logic explanations while maintaining competitive accuracy on the EMBER dataset. A new Tailored-LEN method uses a line-search to optimize the aggregation of local explanations, improving fidelity and reducing complexity relative to prior LEN variants. Empirical results show LENs achieve approximately 92% accuracy with feature-subset configurations and remain competitive with state-of-the-art black-box models, while delivering interpretable, verifiable rules; this advances trustworthy, auditable malware classifiers suitable for security-critical applications. Overall, the approach demonstrates that explainable neural models can match strong performance on large-scale malware data and offer actionable explanations for practitioners and regulators alike.

Abstract

Malware detection is a constant challenge in cybersecurity due to the rapid development of new attack techniques. Traditional signature-based approaches struggle to keep pace with the sheer volume of malware samples. Machine learning offers a promising solution, but faces issues of generalization to unseen samples and a lack of explanation for the instances identified as malware. However, human-understandable explanations are especially important in security-critical fields, where understanding model decisions is crucial for trust and legal compliance. While deep learning models excel at malware detection, their black-box nature hinders explainability. Conversely, interpretable models often fall short in performance. To bridge this gap in this application domain, we propose the use of Logic Explained Networks (LENs), which are a recently proposed class of interpretable neural networks providing explanations in the form of First-Order Logic (FOL) rules. This paper extends the application of LENs to the complex domain of malware detection, specifically using the large-scale EMBER dataset. In the experimental results we show that LENs achieve robustness that exceeds traditional interpretable methods and that are rivaling black-box models. Moreover, we introduce a tailored version of LENs that is shown to generate logic explanations with higher fidelity with respect to the model's predictions.
Paper Structure (25 sections, 4 equations, 3 figures, 3 tables, 1 algorithm)

This paper contains 25 sections, 4 equations, 3 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Contributions.
  3. Previous Work
  4. Traditional Machine Learning for Malware Detection.
  5. Interpretable AI Models for Malware Detection.
  6. Background on LENs
  7. Local Explanations.
  8. Global Explanation.
  9. Improving LEN's explanations
  10. Motivation.
  11. Tailored-LEN explanation.
  12. Complexity Analysis.
  13. Experimental Analysis
  14. Dataset and Preprocessing
  15. Feature Selections Methods
  16. ...and 10 more sections

Figures (3)

  • Figure 1: Illustration of LEN local and class-level explanation for malware samples. The global explanations are obtained as a disjunction of the most important local explanations, selected using different statistical techniques.
  • Figure 2: Plots comparing the performance of the LENs in terms of (a) accuracy and (b) FP-Rate on the EMBER dataset.
  • Figure 3: Plots comparing the performance of the explanations of the different LENs in terms of (a) accuracy, (b) FP-Rate, (c) Fidelity and (d) Complexity, over different feature size on the EMBER dataset.