Dual Explanations via Subgraph Matching for Malware Detection

--Interpretable malware detection is crucial for understanding harmful behaviors and building trust in automated security systems. Traditional explainable methods for Graph Neural Networks (GNNs) often highlight important regions within a graph but fail to associate them with known benign or malicious behavioral patterns. This limitation reduces their utility in security contexts, where alignment with verified prototypes is essential. In this work, we introduce a novel dual prototype-driven explainable framework that interprets GNN-based malware detection decisions. This dual explainable framework integrates a base explainer (a state-of-the-art explainer) with a novel second-level explainer which is designed by subgraph matching technique, called SubMatch explainer . The proposed explainer assigns interpretable scores to nodes based on their association with matched subgraphs, offering a fine-grained distinction between benign and malicious regions. This prototype-guided scoring mechanism enables more interpretable, behavior-aligned explanations. Experimental results demonstrate that our method preserves high detection performance while significantly improving interpretability in malware analysis. I NTRODUCTION Graph Neural Networks (GNNs) have emerged as powerful tools for learning from structured data and have shown strong performance across various domains including social networks, chemistry, and cybersecurity. In the context of malware detection, GNNs are particularly well-suited due to their ability to model complex program structures, such as control flow graphs (CFGs), which capture the execution behavior of binary programs. By leveraging the topological information and semantic relationships within these graphs, GNN-based methods can identify subtle malicious patterns that are often missed by traditional techniques. Recent studies have demonstrated the effectiveness of applying GNNs to malware classification, graph-based anomaly detection, and behavioral analysis of executable files [1]-[15].