In recent years, there has been a significant surge in malware attacks, necessitating more advanced preventive measures and remedial strategies. While several successful AI-based malware classification approaches exist categorized into static, dynamic, or online analysis, most successful AI models lack easily interpretable decisions and explanations for their processes. Our paper aims to delve into explainable malware classification across various execution environments (such as dynamic and online), thoroughly analyzing their respective strengths, weaknesses, and commonalities. To evaluate our approach, we train Feed Forward Neural Networks (FFNN) and Convolutional Neural Networks (CNN) to classify malware based on features obtained from dynamic and online analysis environments. The feature attribution for malware classification is performed by explainability tools, SHAP, LIME and Permutation Importance. We perform a detailed evaluation of the calculated global and local explanations from the experiments, discuss limitations and, ultimately, offer recommendations for achieving a balanced approach.

翻译：近年来，恶意软件攻击显著激增，亟需更先进的预防与补救策略。尽管存在多种基于人工智能的恶意软件分类方法，可归类为静态、动态或在线分析，但大多数成功的人工智能模型缺乏易于解释的决策过程及机理说明。本文旨在深入探讨跨不同执行环境（如动态与在线环境）的可解释恶意软件分类，全面分析其各自优势、局限与共性。为评估所提方法，我们训练前馈神经网络与卷积神经网络基于动态及在线分析环境提取的特征进行恶意软件分类。通过可解释性工具SHAP、LIME与置换重要性实现恶意软件分类的特征归因。我们基于实验计算得到的全局与局部解释进行详细评估，探讨其局限性，并最终提出实现平衡方法的建议。