Dual Explanations via Subgraph Matching for Malware Detection
Hossein Shokouhinejad, Roozbeh Razavi-Far, Griffin Higgins, Ali A. Ghorbani
TL;DR
This work addresses the interpretability gap in GNN-based malware detection by coupling a base explainer with a second-level SubMatch explainer that grounds explanations in verified benign and malicious prototypes. The method dynamically extracts CFGs, learns node embeddings via an autoencoder, and trains a GNN classifier; explanations are enriched by extracting subgraphs and storing trusted prototypes, which SubMatch then matches against new samples to produce behavior-aligned, node-level scores. Experimental results show strong detection performance alongside enhanced interpretability, with GraphSAGE consistently delivering superior matching quality. The framework supports exact and approximate subgraph matching, enabling robust, prototype-driven explanations that are practical for security analysts confronting obfuscated malware.
Abstract
Interpretable malware detection is crucial for understanding harmful behaviors and building trust in automated security systems. Traditional explainable methods for Graph Neural Networks (GNNs) often highlight important regions within a graph but fail to associate them with known benign or malicious behavioral patterns. This limitation reduces their utility in security contexts, where alignment with verified prototypes is essential. In this work, we introduce a novel dual prototype-driven explainable framework that interprets GNN-based malware detection decisions. This dual explainable framework integrates a base explainer (a state-of-the-art explainer) with a novel second-level explainer which is designed by subgraph matching technique, called SubMatch explainer. The proposed explainer assigns interpretable scores to nodes based on their association with matched subgraphs, offering a fine-grained distinction between benign and malicious regions. This prototype-guided scoring mechanism enables more interpretable, behavior-aligned explanations. Experimental results demonstrate that our method preserves high detection performance while significantly improving interpretability in malware analysis.
