Exploring GNN-LRP for Graph Neural Networks in Android malware detection

Android malware is becoming increasingly complex and evasive, making traditional detection methods less effective. Graph Neural Networks (GNNs) have recently shown strong performance in malware classification by using structured representations such as function call graphs. However, beyond achieving...

Descripción completa

Detalles Bibliográficos
Autor: Guasch Guasch, Ferran
Tipo de recurso: tesis de maestría
Fecha de publicación:2025
País:España
Institución:Universitat Politècnica de Catalunya (UPC)
Repositorio:UPCommons. Portal del coneixement obert de la UPC
Idioma:inglés
OAI Identifier:oai:upcommons.upc.edu:2117/449818
Acceso en línea:https://hdl.handle.net/2117/449818
Access Level:acceso abierto
Palabra clave:Neural networks (Computer science)
Malware (Computer software)
Intel·ligència artificial explicable
Xarxes neuronals de gràfics
Propagació de rellevància per capes
GNN-LRP
Programari maliciós per a Android
Detecció de programari maliciós
Drebin
MsDroid
Gràfics de crides de funcions
Interpretabilitat
Explainable AI
Graph Neural Networks
Layer-wise relevance propagation
Malware detection
Function call graphs
Interpretability
Xarxes neuronals (Informàtica)
Programari maliciós
Àrees temàtiques de la UPC::Informàtica::Intel·ligència artificial::Aprenentatge automàtic
Descripción
Sumario:Android malware is becoming increasingly complex and evasive, making traditional detection methods less effective. Graph Neural Networks (GNNs) have recently shown strong performance in malware classification by using structured representations such as function call graphs. However, beyond achieving high classification accuracy, it is equally important to understand the reasoning behind a model's predictions, both for addressing security vulnerabilities and for building trust in the detection process. This thesis explores explainable artificial intelligence (XAI) techniques to bridge this gap, focusing on improving interpretability in graph-based malware detection. Specifically, we apply Layer-wise Relevance Propagation (LRP) to GNNs, an approach referred to as GNN-LRP, to assign relevance scores to graph components based on their influence on model predictions. We make use of the MsDroid framework to generate structured representations of each APK in the form of subgraphs derived from the program call graph. Using a combination of real-world datasets and a custom synthetic dataset, we demonstrate that GNN-LRP effectively highlights semantically meaningful paths indicative of malicious behavior. For instance, within the FakeInstaller malware family, our method successfully identifies the core behavioral structures responsible for malicious activity, such as SMS fraud routines and conditional payload triggers. These results illustrate that GNN-LRP can reveal the internal logic driving model decisions and isolate the functional patterns underlying malware behavior, insights that are difficult to obtain through heuristic-based approaches. By bridging performance and interpretability, this work contributes a robust and transparent step forward in graph-based malware analysis.