In this paper, we propose XG-BoT, an explainable deep graph neural network model for botnet node detection. The proposed model comprises a botnet detector and an explainer for automatic forensics. The XG-BoT detector can effectively detect malicious botnet nodes in large-scale networks. Specifically, it utilizes a grouped reversible residual connection with a graph isomorphism network to learn expressive node representations from botnet communication graphs. The explainer, based on the GNNExplainer and saliency map in XG-BoT, can perform automatic network forensics by highlighting suspicious network flows and related botnet nodes. We evaluated XG-BoT using real-world, large-scale botnet network graph datasets. Overall, XG-BoT outperforms state-of-the-art approaches in terms of key evaluation metrics. Additionally, we demonstrate that the XG-BoT explainers can generate useful explanations for automatic network forensics.

翻译：本文提出XG-BoT，一种用于僵尸网络节点检测的可解释深度图神经网络模型。该模型包含僵尸网络检测器与自动取证解释器。XG-BoT检测器能够有效检测大规模网络中的恶意僵尸网络节点，具体而言，它利用基于图同构网络的分组可逆残差连接，从僵尸网络通信图中学习具有表达能力的节点表征。XG-BoT中的解释器基于GNNExplainer与显著性图，通过突出显示可疑网络流及相关僵尸网络节点，实现自动网络取证。我们采用真实大规模僵尸网络图数据集对XG-BoT进行评估。总体而言，XG-BoT在关键评估指标上优于现有最优方法。此外，我们证明XG-BoT解释器能够为自动网络取证生成有效的解释。