Table of Contents
Fetching ...

Towards Transparent Malware Detection With Granular Explainability: Backtracking Meta-Coarsened Explanations Onto Assembly Flow Graphs With Graph Neural Networks

Griffin Higgins, Roozbeh Razavi-Far, Hossein Shokouhinejad, Ali A. Ghorbani

TL;DR

This work introduces Assembly Flow Graphs (AFG) to represent the full assembly instruction flow of binaries and a Meta-Coarsening framework to make large AFGs tractable for Graph Neural Networks. By backtracking explanations from coarsened CFGs to AFGs, the approach delivers granular instruction-level explanations in malware detection, enabling both accurate inference and strong explainability at multiple levels (C-CFG and B-AFG). Evaluation on the CIC-DGG-2025 dataset shows favorable inference under certain coarsening regimes and demonstrates explainability gains at lower coarsening with metrics like the characterization score and a novel assembly-level beta indicator, while highlighting limitations at maximal coarsening and differences between benign and malicious samples. Overall, the method provides a principled path to transparent malware analysis with granular, assembly-level interpretability that can guide defenders in understanding and mitigating malicious behavior.

Abstract

As malware continues to become increasingly sophisticated, threatening, and evasive, malware detection systems must keep pace and become equally intelligent, powerful, and transparent. In this paper, we propose Assembly Flow Graph (AFG) to comprehensively represent the assembly flow of a binary executable as graph data. Importantly, AFG can be used to extract granular explanations needed to increase transparency for malware detection using Graph Neural Networks (GNNs). However, since AFGs may be large in practice, we also propose a Meta-Coarsening approach to improve computational tractability via graph reduction. To evaluate our proposed approach we consider several novel and existing metrics to quantify the granularity and quality of explanations. Lastly, we also consider several hyperparameters in our proposed Meta-Coarsening approach that can be used to control the final explanation size. We evaluate our proposed approach using the CIC-DGG-2025 dataset. Our results indicate that our proposed AFG and Meta-Coarsening approach can provide both increased explainability and inference performance at certain coarsening levels. However, most importantly, to the best of our knowledge, we are the first to consider granular explainability in malware detection using GNNs.

Towards Transparent Malware Detection With Granular Explainability: Backtracking Meta-Coarsened Explanations Onto Assembly Flow Graphs With Graph Neural Networks

TL;DR

This work introduces Assembly Flow Graphs (AFG) to represent the full assembly instruction flow of binaries and a Meta-Coarsening framework to make large AFGs tractable for Graph Neural Networks. By backtracking explanations from coarsened CFGs to AFGs, the approach delivers granular instruction-level explanations in malware detection, enabling both accurate inference and strong explainability at multiple levels (C-CFG and B-AFG). Evaluation on the CIC-DGG-2025 dataset shows favorable inference under certain coarsening regimes and demonstrates explainability gains at lower coarsening with metrics like the characterization score and a novel assembly-level beta indicator, while highlighting limitations at maximal coarsening and differences between benign and malicious samples. Overall, the method provides a principled path to transparent malware analysis with granular, assembly-level interpretability that can guide defenders in understanding and mitigating malicious behavior.

Abstract

As malware continues to become increasingly sophisticated, threatening, and evasive, malware detection systems must keep pace and become equally intelligent, powerful, and transparent. In this paper, we propose Assembly Flow Graph (AFG) to comprehensively represent the assembly flow of a binary executable as graph data. Importantly, AFG can be used to extract granular explanations needed to increase transparency for malware detection using Graph Neural Networks (GNNs). However, since AFGs may be large in practice, we also propose a Meta-Coarsening approach to improve computational tractability via graph reduction. To evaluate our proposed approach we consider several novel and existing metrics to quantify the granularity and quality of explanations. Lastly, we also consider several hyperparameters in our proposed Meta-Coarsening approach that can be used to control the final explanation size. We evaluate our proposed approach using the CIC-DGG-2025 dataset. Our results indicate that our proposed AFG and Meta-Coarsening approach can provide both increased explainability and inference performance at certain coarsening levels. However, most importantly, to the best of our knowledge, we are the first to consider granular explainability in malware detection using GNNs.
Paper Structure (22 sections, 11 equations, 19 figures, 4 tables)

This paper contains 22 sections, 11 equations, 19 figures, 4 tables.

Figures (19)

  • Figure 1: High-level diagram of our proposed approach with training and embedding phases omitted. CFG and starting point is shown in the middle green patch, coarsened CFG (C-CFG) shown in the top red patch, and AFG is shown in the bottom blue patch. The C-CFG explanation and backtracked AFG (B-AFG) are shown in yellow. The most important B-AFG explanation subgraph is shown in purple.
  • Figure 2: Detailed diagram showing four phases of processing.
  • Figure 3: CFG embedding procedure.
  • Figure 4: AFG construction and embedding procedure for one node.
  • Figure 5: Size comparison of datasets with respect to CFG and AFG number of nodes and edges.
  • ...and 14 more figures