Malware detection in modern computing environments demands models that are not only accurate but also interpretable and robust to evasive techniques. Graph neural networks (GNNs) have shown promise in this domain by modeling rich structural dependencies in graph-based program representations such as control flow graphs (CFGs). However, single-model approaches may suffer from limited generalization and lack interpretability, especially in high-stakes security applications. In this paper, we propose a novel stacking ensemble framework for graph-based malware detection and explanation. Our method dynamically extracts CFGs from portable executable (PE) files and encodes their basic blocks through a two-step embedding strategy. A set of diverse GNN base learners, each with a distinct message-passing mechanism, is used to capture complementary behavioral features. Their prediction outputs are aggregated by a meta-learner implemented as an attention-based multilayer perceptron, which both classifies malware instances and quantifies the contribution of each base model. To enhance explainability, we introduce an ensemble-aware post-hoc explanation technique that leverages edge-level importance scores generated by a GNN explainer and fuses them using the learned attention weights. This produces interpretable, model-agnostic explanations aligned with the final ensemble decision. Experimental results demonstrate that our framework improves classification performance while providing insightful interpretations of malware behavior.

翻译：现代计算环境中的恶意软件检测要求模型不仅具备高精度，还需兼具可解释性及对规避技术的鲁棒性。图神经网络通过建模控制流图等图结构程序表示中的丰富依赖关系，在该领域展现出应用潜力。然而，单模型方法可能存在泛化能力有限与缺乏可解释性的问题，尤其是在高风险的网络安全应用中。本文提出一种新颖的堆叠集成框架，用于基于图的恶意软件检测与解释。该方法从可移植可执行文件中动态提取控制流图，并通过两步嵌入策略对基本块进行编码。我们采用一组具有不同消息传递机制的多样化图神经网络基学习器，以捕获互补的行为特征。它们的预测输出由基于注意力机制的多层感知器实现的元学习器聚合，该元学习器既能对恶意软件实例进行分类，又能量化各基模型的贡献权重。为增强可解释性，我们提出一种集成感知的事后解释技术：利用图神经网络解释器生成的边级重要性分数，并通过学习到的注意力权重进行融合。该方法可生成与最终集成决策相一致的可解释、模型无关的恶意软件行为解读。实验结果表明，本框架在提升分类性能的同时，为恶意软件行为提供了具有洞察力的解释。