Exploring GNN-LRP for Graph Neural Networks in Android malware detection
Android malware is becoming increasingly complex and evasive, making traditional detection methods less effective. Graph Neural Networks (GNNs) have recently shown strong performance in malware classification by using structured representations such as function call graphs. However, beyond achieving...
| Autor: | |
|---|---|
| Tipo de recurso: | tesis de maestría |
| Fecha de publicación: | 2025 |
| País: | España |
| Institución: | Universitat Politècnica de Catalunya (UPC) |
| Repositorio: | UPCommons. Portal del coneixement obert de la UPC |
| Idioma: | inglés |
| OAI Identifier: | oai:upcommons.upc.edu:2117/449818 |
| Acceso en línea: | https://hdl.handle.net/2117/449818 |
| Access Level: | acceso abierto |
| Palabra clave: | Neural networks (Computer science) Malware (Computer software) Intel·ligència artificial explicable Xarxes neuronals de gràfics Propagació de rellevància per capes GNN-LRP Programari maliciós per a Android Detecció de programari maliciós Drebin MsDroid Gràfics de crides de funcions Interpretabilitat Explainable AI Graph Neural Networks Layer-wise relevance propagation Malware detection Function call graphs Interpretability Xarxes neuronals (Informàtica) Programari maliciós Àrees temàtiques de la UPC::Informàtica::Intel·ligència artificial::Aprenentatge automàtic |
| Sumario: | Android malware is becoming increasingly complex and evasive, making traditional detection methods less effective. Graph Neural Networks (GNNs) have recently shown strong performance in malware classification by using structured representations such as function call graphs. However, beyond achieving high classification accuracy, it is equally important to understand the reasoning behind a model's predictions, both for addressing security vulnerabilities and for building trust in the detection process. This thesis explores explainable artificial intelligence (XAI) techniques to bridge this gap, focusing on improving interpretability in graph-based malware detection. Specifically, we apply Layer-wise Relevance Propagation (LRP) to GNNs, an approach referred to as GNN-LRP, to assign relevance scores to graph components based on their influence on model predictions. We make use of the MsDroid framework to generate structured representations of each APK in the form of subgraphs derived from the program call graph. Using a combination of real-world datasets and a custom synthetic dataset, we demonstrate that GNN-LRP effectively highlights semantically meaningful paths indicative of malicious behavior. For instance, within the FakeInstaller malware family, our method successfully identifies the core behavioral structures responsible for malicious activity, such as SMS fraud routines and conditional payload triggers. These results illustrate that GNN-LRP can reveal the internal logic driving model decisions and isolate the functional patterns underlying malware behavior, insights that are difficult to obtain through heuristic-based approaches. By bridging performance and interpretability, this work contributes a robust and transparent step forward in graph-based malware analysis. |
|---|