Towards Transparent Malware Detection With Granular Explainability: Backtracking Meta-Coarsened Explanations Onto Assembly Flow Graphs With Graph Neural Networks
Griffin Higgins, Roozbeh Razavi-Far, Hossein Shokouhinejad, Ali A. Ghorbani
TL;DR
This work introduces Assembly Flow Graphs (AFG) to represent the full assembly instruction flow of binaries and a Meta-Coarsening framework to make large AFGs tractable for Graph Neural Networks. By backtracking explanations from coarsened CFGs to AFGs, the approach delivers granular instruction-level explanations in malware detection, enabling both accurate inference and strong explainability at multiple levels (C-CFG and B-AFG). Evaluation on the CIC-DGG-2025 dataset shows favorable inference under certain coarsening regimes and demonstrates explainability gains at lower coarsening with metrics like the characterization score and a novel assembly-level beta indicator, while highlighting limitations at maximal coarsening and differences between benign and malicious samples. Overall, the method provides a principled path to transparent malware analysis with granular, assembly-level interpretability that can guide defenders in understanding and mitigating malicious behavior.
Abstract
As malware continues to become increasingly sophisticated, threatening, and evasive, malware detection systems must keep pace and become equally intelligent, powerful, and transparent. In this paper, we propose Assembly Flow Graph (AFG) to comprehensively represent the assembly flow of a binary executable as graph data. Importantly, AFG can be used to extract granular explanations needed to increase transparency for malware detection using Graph Neural Networks (GNNs). However, since AFGs may be large in practice, we also propose a Meta-Coarsening approach to improve computational tractability via graph reduction. To evaluate our proposed approach we consider several novel and existing metrics to quantify the granularity and quality of explanations. Lastly, we also consider several hyperparameters in our proposed Meta-Coarsening approach that can be used to control the final explanation size. We evaluate our proposed approach using the CIC-DGG-2025 dataset. Our results indicate that our proposed AFG and Meta-Coarsening approach can provide both increased explainability and inference performance at certain coarsening levels. However, most importantly, to the best of our knowledge, we are the first to consider granular explainability in malware detection using GNNs.
