Title

Behavioral Drift–Aware Malware Detection: A Survey of Graph Neural Networks for Explainable and Operational Deployment

Author

1. Yogesh S, Student, St Peters Institute for Higher Education and Research, India
2. Sheela E, Assistant Professor, St Peters Institute for Higher Education and Research, India

Abstract

Modern malware uses more and more advanced evasion techniques, like packing, polymorphism, fileless execution, reflective loading, and living-off-the-land behaviors. This makes traditional signature-based and static detection methods much less effective. Dynamic behavioral analysis—recording API and system-call traces, process interactions, memory activities, and network events—offers deeper semantic understanding of runtime malware behavior, yet generates highly structured, noisy, and evolving data. To tackle this issue, graph-based representations such as API-call graphs, control-flow graphs, system dependency graphs, and heterogeneous process-resource graphs have proven to be effective abstractions for modeling malware behavior.Graph Neural Networks (GNNs), which include convolutional, attention-based, temporal, and self-supervised types, have shown that they can find new types of malware and variants that act similarly to existing ones. Nonetheless, behavioral and conceptual drift, adversarial graph manipulation, restricted explainability, scalable graph extraction, and real-time deployment limitations persist as significant obstacles to operational implementation.This survey methodically examines GNN-based malware detection research published from 2020 to 2025, focusing specifically on drift-aware learning, explainable GNN models, and deployment-oriented factors. We classify current research based on graph construction strategies, GNN architectures, self-supervised and contrastive learning methodologies, robustness mechanisms, and evaluation protocols. Lastly, we talk about open research problems and suggest ways to move forward in creating GNN-based malware defense systems that are strong, easy to understand, and can be used in the real world.

Keywords

Conclusion

This survey presented a comprehensive review of graph-based malware detection techniques leveraging Graph Neural Networks (GNNs), with a particular focus on behavioral drift, explainability, adversarial robustness, and operational deployment. As modern malware increasingly adopts obfuscation, polymorphism, and adaptive execution strategies, traditional static and signature-based approaches have become insufficient. Graph-based representations, including static, dynamic, and hybrid behavior graphs, offer a powerful abstraction for capturing the structural and semantic characteristics of malware behavior.

We systematically examined malware behavior graph construction techniques, state-of-the-art GNN architectures, and diverse learning paradigms ranging from supervised to self-supervised and continual learning. Special emphasis was placed on explainable AI (XAI) methods, which are essential for building trust and enabling effective integration of GNN-based detectors into real-world security operations. Furthermore, we analyzed adversarial attacks targeting graph-based detectors and reviewed robustness-enhancing strategies necessary for sustaining long-term effectiveness under evolving threat landscapes.

Through a detailed discussion of datasets, evaluation protocols, and deployment considerations, this survey highlighted the gap between academic research and practical deployment. Finally, we identified key open research challenges and outlined future directions aimed at building scalable, interpretable, and resilient malware detection systems capable of adapting to behavioral drift and adversarial manipulation. We hope this survey serves as a valuable reference and roadmap for researchers and practitioners working toward operationally deployable GNN-based malware defense solutions.

Author Contrubution

The author(s) conducted the literature review, analyzed existing malware detection techniques, organized the findings, and wrote the manuscript. All authors reviewed and approved the final version of the manuscript.

Funding

This research received no external funding.

Conflict of Interest

The authors declare no conflict of interest.

Data Sharing Statement

No new data were created or analyzed in this study. Data sharing is not applicable to this article.

Software And Tools Use

Reference management and manuscript preparation were carried out using standard word processing and citation management tools.

Acknowledgements

Not applicable.