{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T23:18:52Z","timestamp":1773271132925,"version":"3.50.1"},"reference-count":41,"publisher":"MDPI AG","issue":"1","license":[{"start":{"date-parts":[[2025,12,21]],"date-time":"2025-12-21T00:00:00Z","timestamp":1766275200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["MAKE"],"abstract":"<jats:p>The increasing sophistication of malware has challenged the effectiveness of conventional detection techniques, motivating the adoption of Graph Neural Networks (GNNs) for their ability to model the structural and semantic information embedded in control flow graphs. While GNNs offer high detection performance, their lack of transparency limits their applicability in security-critical domains. To address this, we present an explainable malware detection framework, which contains a dual explainer. This dual explainer integrates a GNN explainer with a neural subgraph matching approach and the VF2 algorithm. The proposed method identifies and verifies discriminative subgraphs during training, which are later used to explain new predictions through efficient matching. To enhance the generalization of the neural subgraph matcher, we train it using curriculum learning, gradually increasing subgraph complexity to improve matching quality. Experimental evaluations on benchmark datasets demonstrate that the proposed framework retains high classification accuracy while significantly improving interpretability. By unifying explainable graph learning techniques with subgraph matching, the proposed framework enables analysts to gain actionable insights, fostering greater trust in GNN-based malware detectors.<\/jats:p>","DOI":"10.3390\/make8010002","type":"journal-article","created":{"date-parts":[[2025,12,22]],"date-time":"2025-12-22T08:35:27Z","timestamp":1766392527000},"page":"2","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Enhancing GNN Explanations for Malware Detection with Dual Subgraph Matching"],"prefix":"10.3390","volume":"8","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-6342-2740","authenticated-orcid":false,"given":"Hossein","family":"Shokouhinejad","sequence":"first","affiliation":[{"name":"Canadian Institute for Cybersecurity, University of New Brunswick, Fredericton, NB E3B 5A3, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4330-3656","authenticated-orcid":false,"given":"Roozbeh","family":"Razavi-Far","sequence":"additional","affiliation":[{"name":"Canadian Institute for Cybersecurity, University of New Brunswick, Fredericton, NB E3B 5A3, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0009-0001-2494-8360","authenticated-orcid":false,"given":"Griffin","family":"Higgins","sequence":"additional","affiliation":[{"name":"Canadian Institute for Cybersecurity, University of New Brunswick, Fredericton, NB E3B 5A3, Canada"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9189-6268","authenticated-orcid":false,"given":"Ali A.","family":"Ghorbani","sequence":"additional","affiliation":[{"name":"Canadian Institute for Cybersecurity, University of New Brunswick, Fredericton, NB E3B 5A3, Canada"}]}],"member":"1968","published-online":{"date-parts":[[2025,12,21]]},"reference":[{"key":"ref_1","unstructured":"Shokouhinejad, H., Razavi-Far, R., Mohammadian, H., Rabbani, M., Ansong, S., Higgins, G., and Ghorbani, A.A. (2025). Recent Advances in Malware Detection: Graph Learning and Explainability. arXiv."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"2722","DOI":"10.3390\/make6040130","article-title":"Node-Centric Pruning: A Novel Graph Reduction Approach","volume":"6","author":"Shokouhinejad","year":"2024","journal-title":"Mach. Learn. Knowl. Extr."},{"key":"ref_3","unstructured":"Shokouhinejad, H., Razavi-Far, R., Higgins, G., and Ghorbani, A.A. (2025). Explainable Attention-Guided Stacked Graph Neural Networks for Malware Detection. arXiv."},{"key":"ref_4","first-page":"1","article-title":"GNNExplainer: Generating explanations for graph neural networks","volume":"32","author":"Ying","year":"2019","journal-title":"Adv. Neural Inf. Process. Syst. (NIPS)"},{"key":"ref_5","unstructured":"Luo, D., Cheng, W., Xu, D., Yu, W., Zong, B., Chen, H., and Zhang, X. (2020, January 16\u201320). Parameterized explainer for graph neural network. Proceedings of the Proceedings of the 34th International Conference on Neural Information Processing Systems, Vancouver, BC, Canada."},{"key":"ref_6","doi-asserted-by":"crossref","unstructured":"Herath, J.D., Wakodikar, P.P., Yang, P., and Yan, G. (2022, January 27\u201330). CFGExplainer: Explaining Graph Neural Network-Based Malware Classification from Control Flow Graphs. Proceedings of the 2022 52nd Annual IEEE\/IFIP International Conference on Dependable Systems and Networks (DSN), Baltimore, MD, USA.","DOI":"10.1109\/DSN53405.2022.00028"},{"key":"ref_7","unstructured":"Yuan, H., Yu, H., Wang, J., Li, K., and Ji, S. (2021, January 18\u201324). On explainability of graph neural networks via subgraph explorations. Proceedings of the PMLR International Conference on Machine Learning, Virtual Conference."},{"key":"ref_8","unstructured":"Baldassarre, F., and Azizpour, H. (2019, January 9\u201315). Explainability Techniques for Graph Convolutional Networks. Proceedings of the International Conference on Machine Learning (ICML), Workshop on Learning and Reasoning with Graph-Structured Representations, Long Beach, CA, USA."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"1367","DOI":"10.1109\/TPAMI.2004.75","article-title":"A (sub) graph isomorphism algorithm for matching large graphs","volume":"28","author":"Cordella","year":"2004","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell. (TPAMI)"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"31","DOI":"10.1145\/321921.321925","article-title":"An Algorithm for Subgraph Isomorphism","volume":"23","author":"Ullmann","year":"1976","journal-title":"J. ACM"},{"key":"ref_11","unstructured":"Ying, R., Lou, Z., You, J., Wen, C., Canedo, A., and Leskovec, J. (2020). Neural Subgraph Matching. arXiv."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"4881","DOI":"10.1109\/TIFS.2024.3389614","article-title":"MalGNE: Enhancing the Performance and Efficiency of CFG-Based Malware Detector by Graph Node Embedding in Low Dimension Space","volume":"19","author":"Peng","year":"2024","journal-title":"IEEE Trans. Inf. Forensics Secur."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"103807","DOI":"10.1016\/j.cose.2024.103807","article-title":"GSEDroid: GNN-based Android malware detection framework using lightweight semantic embedding","volume":"140","author":"Gu","year":"2024","journal-title":"Comput. Secur."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"124776","DOI":"10.1016\/j.eswa.2024.124776","article-title":"MDGraph: A novel malware detection method based on memory dump and graph neural network","volume":"255","author":"Li","year":"2024","journal-title":"Expert Syst. Appl."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"103409","DOI":"10.1016\/j.cose.2023.103409","article-title":"XMal: A lightweight memory-based explainable obfuscated-malware detector","volume":"133","author":"Alani","year":"2023","journal-title":"Comput. Secur."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"102872","DOI":"10.1016\/j.cose.2022.102872","article-title":"DMalNet: Dynamic malware analysis based on API feature engineering and graph learning","volume":"122","author":"Li","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"2025","DOI":"10.1109\/TDSC.2022.3168285","article-title":"MsDroid: Identifying Malicious Snippets for Android Malware Detection","volume":"20","author":"He","year":"2023","journal-title":"IEEE Trans. Dependable Secur. Comput."},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"121617","DOI":"10.1016\/j.eswa.2023.121617","article-title":"Android malware detection method based on graph attention networks and deep fusion of multimodal features","volume":"237","author":"Chen","year":"2024","journal-title":"Expert Syst. Appl."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"73214","DOI":"10.1109\/ACCESS.2022.3189645","article-title":"Paired: An explainable lightweight android malware detection system","volume":"10","author":"Alani","year":"2022","journal-title":"IEEE Access"},{"key":"ref_20","first-page":"103691","article-title":"Enhancing android malware detection explainability through function call graph APIs","volume":"80","author":"Soi","year":"2024","journal-title":"J. Inf. Secur. Appl."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"113687","DOI":"10.1016\/j.knosys.2025.113687","article-title":"Enhancing Android malware detection via knowledge distillation on homogenized function call graphs","volume":"323","author":"Wang","year":"2025","journal-title":"Knowl. Based Syst."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"111531","DOI":"10.1016\/j.knosys.2024.111531","article-title":"FAGnet: Family-aware-based android malware analysis using graph neural network","volume":"289","author":"Wang","year":"2024","journal-title":"Knowl. Based Syst."},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"103651","DOI":"10.1016\/j.rineng.2024.103651","article-title":"Graph representation federated learning for malware detection in Internet of health things","volume":"25","author":"Amjath","year":"2025","journal-title":"Results Eng."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"119598","DOI":"10.1016\/j.ins.2023.119598","article-title":"Triplet-trained graph transformer with control flow graph for few-shot malware classification","volume":"649","author":"Bu","year":"2023","journal-title":"Inf. Sci."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"103788","DOI":"10.1016\/j.cose.2024.103788","article-title":"DawnGNN: Documentation augmented windows malware detection using graph neural network","volume":"140","author":"Feng","year":"2024","journal-title":"Comput. Secur."},{"key":"ref_26","unstructured":"Shokouhinejad, H., Razavi-Far, R., Higgins, G., and Ghorbani, A.A. (2025). Dual Explanations via Subgraph Matching for Malware Detection. arXiv."},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"122603","DOI":"10.1016\/j.ins.2025.122603","article-title":"On the consistency of GNN explanations for malware detection","volume":"721","author":"Shokouhinejad","year":"2025","journal-title":"Inf. Sci."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"127229","DOI":"10.1016\/j.neucom.2023.127229","article-title":"Graph Neural Network with curriculum learning for imbalanced node classification","volume":"574","author":"Li","year":"2024","journal-title":"Neurocomputing"},{"key":"ref_29","first-page":"4555","article-title":"A Survey on Curriculum Learning","volume":"44","author":"Wang","year":"2022","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Yang, L., Ciptadi, A., Laziuk, I., Ahmadzadeh, A., and Wang, G. (2021, January 27). BODMAS: An open dataset for learning based temporal analysis of PE malware. Proceedings of the 2021 IEEE Security and Privacy Workshops (SPW), San Francisco, CA, USA.","DOI":"10.1109\/SPW53761.2021.00020"},{"key":"ref_31","unstructured":"Practical Security Analytics LLC (2024, June 08). PE Malware Machine Learning Dataset. Available online: https:\/\/practicalsecurityanalytics.com\/pe-malware-machine-learning-dataset\/."},{"key":"ref_32","unstructured":"Iosif, G. (2024, February 27). DikeDataset. Available online: https:\/\/github.com\/iosifache\/DikeDataset."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Shoshitaishvili, Y., Wang, R., Salls, C., Stephens, N., Polino, M., Dutcher, A., Grosen, J., Feng, S., Hauser, C., and Kruegel, C. (2016). SoK: (State of) The Art of War: Offensive Techniques in Binary Analysis, IEEE.","DOI":"10.1109\/SP.2016.17"},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Stephens, N., Grosen, J., Salls, C., Dutcher, A., Wang, R., Corbetta, J., Shoshitaishvili, Y., Kruegel, C., and Vigna, G. (2016). Driller: Augmenting Fuzzing Through Selective Symbolic Execution, IEEE.","DOI":"10.14722\/ndss.2016.23368"},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Shoshitaishvili, Y., Wang, R., Hauser, C., Kruegel, C., and Vigna, G. (2015). Firmalice\u2014Automatic Detection of Authentication Bypass Vulnerabilities in Binary Firmware, Internet Society.","DOI":"10.14722\/ndss.2015.23294"},{"key":"ref_36","unstructured":"Kipf, T.N., and Welling, M. (2017, January 24\u201326). Semi-Supervised Classification with Graph Convolutional Networks. Proceedings of the International Conference on Learning Representations (ICLR), Toulon, France."},{"key":"ref_37","unstructured":"Xu, K., Hu, W., Leskovec, J., and Jegelka, S. (2019, January 6\u20139). How Powerful Are Graph Neural Networks?. Proceedings of the International Conference on Learning Representations (ICLR), New Orleans, LA, USA."},{"key":"ref_38","unstructured":"Hamilton, W.L., Ying, R., and Leskovec, J. (2017, January 4\u20139). Inductive representation learning on large graphs. Proceedings of the 31st International Conference on Neural Information Processing Systems (NIPS), Long Beach, CA, USA."},{"key":"ref_39","unstructured":"Veli\u010dkovi\u0107, P., Cucurull, G., Casanova, A., Romero, A., Li\u00f2, P., and Bengio, Y. (May, January 30). Graph Attention Networks. Proceedings of the International Conference on Learning Representations (ICLR), Vancouver, BC, Canada."},{"key":"ref_40","unstructured":"Amara, K., Ying, Z., Zhang, Z., Han, Z., Zhao, Y., Shan, Y., Brandes, U., Schemm, S., and Zhang, C. (2022, January 24\u201326). GraphFramEx: Towards Systematic Evaluation of Explainability Methods for Graph Neural Networks. Proceedings of the The First Learning on Graphs Conference, Amsterdam, The Netherlands."},{"key":"ref_41","doi-asserted-by":"crossref","first-page":"804","DOI":"10.1109\/TPAMI.2017.2696940","article-title":"Challenging the Time Complexity of Exact Subgraph Isomorphism for Huge and Dense Graphs with VF3","volume":"40","author":"Carletti","year":"2018","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."}],"container-title":["Machine Learning and Knowledge Extraction"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2504-4990\/8\/1\/2\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,23]],"date-time":"2025-12-23T05:13:41Z","timestamp":1766466821000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2504-4990\/8\/1\/2"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,12,21]]},"references-count":41,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,3]]}},"alternative-id":["make8010002"],"URL":"https:\/\/doi.org\/10.3390\/make8010002","relation":{},"ISSN":["2504-4990"],"issn-type":[{"value":"2504-4990","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,12,21]]}}}