Comprehensive Analysis of Consistency and Robustness of Machine Learning Models in Malware Detection

Cybersecurity in recent years has gained significant attention, especially with the deployment of millions of devices across the globe and increased threats targeted toward embedded systems. Many cyber threats have been detected and emerged in the last few years. Among multiple threats, malware attacks are considered to be prominent due to the impact on users and systems. Considering the evolving trend of such cyber threats, traditional statistical and heuristic threat detection approaches have observed the need to be more effective and efficient. Machine learning (ML)-based cyber-threat detection has been actively researched and adopted across academia and industry to address the challenges of evolving cyber threats. However, ML-based neural network techniques though efficient, are considered black boxes due to the lack of sufficient information that can be used to deduce their functionality. On the other hand, the interpretable and explainable AI/ML field focuses on the explainability and reason for the decisions performed by the ML models. In this paper, we experiment with different explainable AI (XAI) techniques for interpreting multiple malware detection models. Specifically, we analyze the consistency and reliability of these neural network models in determining an attack and benign functions. We provide quantitative analysis of multiple explanation methods across different datasets. When trained with the top feature attributes (10%-35% of whole data) generated by XAI methods, the ML classifiers (trained on High Performance Counters and Mimicus PDF malware datasets) retain a malware detection accuracy of 88%-92%. The ML classifiers are also compared with state-of-the-art models and the proposed technique (training with partial data features generated by explainable methods) produce comparable malware detection accuracy above 82%.