Table of Contents
Fetching ...

Dual Explanations via Subgraph Matching for Malware Detection

Hossein Shokouhinejad, Roozbeh Razavi-Far, Griffin Higgins, Ali A. Ghorbani

TL;DR

This work addresses the interpretability gap in GNN-based malware detection by coupling a base explainer with a second-level SubMatch explainer that grounds explanations in verified benign and malicious prototypes. The method dynamically extracts CFGs, learns node embeddings via an autoencoder, and trains a GNN classifier; explanations are enriched by extracting subgraphs and storing trusted prototypes, which SubMatch then matches against new samples to produce behavior-aligned, node-level scores. Experimental results show strong detection performance alongside enhanced interpretability, with GraphSAGE consistently delivering superior matching quality. The framework supports exact and approximate subgraph matching, enabling robust, prototype-driven explanations that are practical for security analysts confronting obfuscated malware.

Abstract

Interpretable malware detection is crucial for understanding harmful behaviors and building trust in automated security systems. Traditional explainable methods for Graph Neural Networks (GNNs) often highlight important regions within a graph but fail to associate them with known benign or malicious behavioral patterns. This limitation reduces their utility in security contexts, where alignment with verified prototypes is essential. In this work, we introduce a novel dual prototype-driven explainable framework that interprets GNN-based malware detection decisions. This dual explainable framework integrates a base explainer (a state-of-the-art explainer) with a novel second-level explainer which is designed by subgraph matching technique, called SubMatch explainer. The proposed explainer assigns interpretable scores to nodes based on their association with matched subgraphs, offering a fine-grained distinction between benign and malicious regions. This prototype-guided scoring mechanism enables more interpretable, behavior-aligned explanations. Experimental results demonstrate that our method preserves high detection performance while significantly improving interpretability in malware analysis.

Dual Explanations via Subgraph Matching for Malware Detection

TL;DR

This work addresses the interpretability gap in GNN-based malware detection by coupling a base explainer with a second-level SubMatch explainer that grounds explanations in verified benign and malicious prototypes. The method dynamically extracts CFGs, learns node embeddings via an autoencoder, and trains a GNN classifier; explanations are enriched by extracting subgraphs and storing trusted prototypes, which SubMatch then matches against new samples to produce behavior-aligned, node-level scores. Experimental results show strong detection performance alongside enhanced interpretability, with GraphSAGE consistently delivering superior matching quality. The framework supports exact and approximate subgraph matching, enabling robust, prototype-driven explanations that are practical for security analysts confronting obfuscated malware.

Abstract

Interpretable malware detection is crucial for understanding harmful behaviors and building trust in automated security systems. Traditional explainable methods for Graph Neural Networks (GNNs) often highlight important regions within a graph but fail to associate them with known benign or malicious behavioral patterns. This limitation reduces their utility in security contexts, where alignment with verified prototypes is essential. In this work, we introduce a novel dual prototype-driven explainable framework that interprets GNN-based malware detection decisions. This dual explainable framework integrates a base explainer (a state-of-the-art explainer) with a novel second-level explainer which is designed by subgraph matching technique, called SubMatch explainer. The proposed explainer assigns interpretable scores to nodes based on their association with matched subgraphs, offering a fine-grained distinction between benign and malicious regions. This prototype-guided scoring mechanism enables more interpretable, behavior-aligned explanations. Experimental results demonstrate that our method preserves high detection performance while significantly improving interpretability in malware analysis.
Paper Structure (18 sections, 8 equations, 7 figures, 1 algorithm)

This paper contains 18 sections, 8 equations, 7 figures, 1 algorithm.

Figures (7)

  • Figure 1: The proposed malware detection framework for dual explanation of malicious samples.
  • Figure 2: Subgraph matching visualization using SubMatch explainer (second-level for dual explanation). Node color indicates match type (red: malicious, blue: benign), and node size reflects the match frequency.
  • Figure 3: Boxplots of the average number of matched query nodes across different experimental factors under the exact structural and attribute matching setting: (a) GNN model comparison (GraphSAGE, GCN, GAT), (b) explainer comparison (IG, GBP, SAL), (c) graph type comparison (directed vs. undirected), and (d) matching strategy comparison (monomorphism vs. isomorphism).
  • Figure 4: Boxplots of the number of matched queries across different experimental factors under the exact structural and attribute matching setting: (a) GNN model comparison (GraphSAGE, GCN, GAT), (b) explainer comparison (IG, GBP, SAL), (c) graph type comparison (directed vs. undirected), and (d) matching strategy comparison (monomorphism vs. isomorphism).
  • Figure 5: Evaluation of SubMatch explainer performance across GNN models under the exact structural and attribute matching setting.
  • ...and 2 more figures