Malware detection is a constant challenge in cybersecurity due to the rapid development of new attack techniques. Traditional signature-based approaches struggle to keep pace with the sheer volume of malware samples. Machine learning offers a promising solution, but faces issues of generalization to unseen samples and a lack of explanation for the instances identified as malware. However, human-understandable explanations are especially important in security-critical fields, where understanding model decisions is crucial for trust and legal compliance. While deep learning models excel at malware detection, their black-box nature hinders explainability. Conversely, interpretable models often fall short in performance. To bridge this gap in this application domain, we propose the use of Logic Explained Networks (LENs), which are a recently proposed class of interpretable neural networks providing explanations in the form of First-Order Logic (FOL) rules. This paper extends the application of LENs to the complex domain of malware detection, specifically using the large-scale EMBER dataset. In the experimental results we show that LENs achieve robustness that exceeds traditional interpretable methods and that are rivaling black-box models. Moreover, we introduce a tailored version of LENs that is shown to generate logic explanations with higher fidelity with respect to the model's predictions.

翻译：恶意软件检测是网络安全领域的一项持续性挑战，源于新型攻击技术的快速演进。传统基于签名的检测方法难以应对海量恶意软件样本的冲击。机器学习提供了有前景的解决方案，但面临对未知样本的泛化能力不足以及缺乏对恶意软件实例的可解释性问题。然而，在安全关键领域，人类可理解的解释尤为重要，理解模型决策对于信任建立和法律合规至关重要。尽管深度学习模型在恶意软件检测中表现优异，但其黑箱特性阻碍了可解释性。反之，可解释模型往往在检测性能上存在不足。为弥合该应用领域中的这一鸿沟，我们提出使用逻辑解释网络（Logic Explained Networks, LENs）——这是一类近期提出的可解释神经网络，能够以一阶逻辑（First-Order Logic, FOL）规则的形式提供解释。本文将LENs的应用拓展至恶意软件检测这一复杂领域，尤其基于大规模EMBER数据集开展研究。实验结果表明，LENs实现了超越传统可解释方法的稳健性，并可与黑箱模型相匹敌。此外，我们引入了一种定制化版本的LENs，实验证明其能够生成与模型预测具有更高保真度的逻辑解释。