Doctoral colloquium - Peter Anthony (6.10.2025)
Monday 6.10.2025 at 13:10 hod., Lecture room I 9
Peter Anthony:
Rule Extraction and Interaction-Aware Explainability for AI-Driven Malware Detection
Abstract:
As machine learning becomes integral to malware detection, the demand for interpretability has become critical, not only to understand model decisions, but also to support actionable insights for analysts. While post-hoc techniques like SHAP, LIME, and Anchor offer feature attributions or instance-level rules, they fail to capture generalised semantic patterns across malware samples. To address this, we propose a unified and extensible explainability framework for binarized malware features, offering three levels of interpretability: (1) first-order explanations (individual feature effects), (2) second-order explanations (pairwise interactions revealing nonlinear dependencies), and (3) higher-order, rule-based explanations that formalize joint feature contributions for deeper analytical insight.
Our framework builds on an MLP-based detector trained on the EMBER dataset. It first uses SHAP to assess global feature relevance and then introduces two key extensions: (i) a SHAP-based interaction formalism that reveals synergistic and antagonistic effects among features, and (ii) a generalized Anchor algorithm that extracts symbolic, reusable rules to illuminate model behavior and malware patterns. Our global rules achieve an F1 score of 83\% on EMBER and perfectly reconstructing nonlinear decision boundaries in synthetic benchmarks (100\% F1 on the XoR dataset). Analysis of EMBER’s extracted rules reveals that the black-box model’s logic often relies on structural anomalies, prioritizing statistical patterns rather than capturing meaningful behavioral patterns indicative of known malware tactics.