Knowledge-infused and Explainable Malware Forensics

Abstract

Despite considerable progress in malicious software forensics, the challenge of accurate attribution, formulation of appropriate response and mitigation strategies, and ensuring the interpretability of deep learning methods persists. While being less flexible and robust to noise compared to deep learning models, Knowledge Graphs are natively developed to be explainable and are a promising solution for exploring new features and relations, and enhancing understandability of decisions. In this work, we aim to develop an explainable malware classifier which can classify PE executable as malign or benign, by infusing external knowledge using Knowledge Graph (KG). We enrich our Knowledge Graph using MITRE Attack ontology (i.e., domain knowledge) and EMBER dataset and utilize Graph2Vec algorithm to embed KG knowledge into our classifier. We found that our classifier yields satisfactory results while maintaining a high level of explainability.