Behavioral Drift–Aware Malware Detection: A Survey of Graph Neural Networks for Explainable and Operational Deployment

  1. SRJSET Home
  2. Browse
  3. Behavioral Drift–Aware Malware Detection: A Survey of Graph Neural Networks for Explainable and Operational Deployment

Title

Behavioral Drift–Aware Malware Detection: A Survey of Graph Neural Networks for Explainable and Operational Deployment

Authors

1. Yogesh S, St Peters Institute for Higher Education and Research, Student, India
2. Sheela E, St Peters Institute for Higher Education and Research, Assistant Professor, India

Abstract

Modern malware uses more and more advanced evasion techniques, like packing, polymorphism, fileless execution, reflective loading, and living-off-the-land behaviors. This makes traditional signature-based and static detection methods much less effective. Dynamic behavioral analysis—recording API and system-call traces, process interactions, memory activities, and network events—offers deeper semantic understanding of runtime malware behavior, yet generates highly structured, noisy, and evolving data. To tackle this issue, graph-based representations such as API-call graphs, control-flow graphs, system dependency graphs, and heterogeneous process-resource graphs have proven to be effective abstractions for modeling malware behavior.Graph Neural Networks (GNNs), which include convolutional, attention-based, temporal, and self-supervised types, have shown that they can find new types of malware and variants that act similarly to existing ones. Nonetheless, behavioral and conceptual drift, adversarial graph manipulation, restricted explainability, scalable graph extraction, and real-time deployment limitations persist as significant obstacles to operational implementation.This survey methodically examines GNN-based malware detection research published from 2020 to 2025, focusing specifically on drift-aware learning, explainable GNN models, and deployment-oriented factors. We classify current research based on graph construction strategies, GNN architectures, self-supervised and contrastive learning methodologies, robustness mechanisms, and evaluation protocols. Lastly, we talk about open research problems and suggest ways to move forward in creating GNN-based malware defense systems that are strong, easy to understand, and can be used in the real world.

Keywords

GNN malware detection Behavioral Drift Concept Drift; Dynamic MalwareAnalysis Explainable AI; Adversarial Malware Graph Learning; Security Analytics

PDF

This browser does not support PDFs. Please download the PDF to view it: View the PDF.

Conclusion

This survey presented a comprehensive review of graph-based malware detection techniques leveraging Graph Neural Networks (GNNs), with a particular focus on behavioral drift, explainability, adversarial robustness, and operational deployment. As modern malware increasingly adopts obfuscation, polymorphism, and adaptive execution strategies, traditional static and signature-based approaches have become insufficient. Graph-based representations, including static, dynamic, and hybrid behavior graphs, offer a powerful abstraction for capturing the structural and semantic characteristics of malware behavior.

We systematically examined malware behavior graph construction techniques, state-of-the-art GNN architectures, and diverse learning paradigms ranging from supervised to self-supervised and continual learning. Special emphasis was placed on explainable AI (XAI) methods, which are essential for building trust and enabling effective integration of GNN-based detectors into real-world security operations. Furthermore, we analyzed adversarial attacks targeting graph-based detectors and reviewed robustness-enhancing strategies necessary for sustaining long-term effectiveness under evolving threat landscapes.

Through a detailed discussion of datasets, evaluation protocols, and deployment considerations, this survey highlighted the gap between academic research and practical deployment. Finally, we identified key open research challenges and outlined future directions aimed at building scalable, interpretable, and resilient malware detection systems capable of adapting to behavioral drift and adversarial manipulation. We hope this survey serves as a valuable reference and roadmap for researchers and practitioners working toward operationally deployable GNN-based malware defense solutions.

Reference

1. [1] C. Li, X. Zhang, Y. Wang, and J. Liu, “DMalNet: Dynamic malware analysis based on API features and graph neural networks,” Computers & Security, vol. 114, Art. no. 102580, 2022. [2] J. Busch, L. Payer, and K. Rieck, “Network flow graph neural networks for malware detection,” in Proc. Int. Conf. on Detection of Intrusions and Malware, 2021. [3] J. D. Herath, “CFGExplainer: Explaining graph neural network-based malware classification,” in Proc. IEEE/IFIP Int. Conf. on Dependable Systems and Networks (DSN), 2022. [4] Y. Gao, Q. Wang, and Z. Li, “Malware self-supervised graph contrastive learning with data augmentation,” in Proc. IEEE INFOCOM Workshops, 2023. [5] A. Bensaoud, “A survey of malware detection using deep learning,” Journal of Information Security and Applications, vol. 76, Art. no. 103671, 2024. [6] H. Haddadpajouh, A. Dehghantanha, and R. M. Parizi, “A deep learning-based approach for malware detection using behavioral graphs,” Computers & Security, vol. 105, Art. no. 102208, 2021. [7] W. Li, Y. Chen, and Z. Zhang, “TS-Mal: Malware detection using temporal and structural features,” Computers & Security, vol. 130, Art. no. 103268, 2024. [8] W. Wang, Y. Shang, and X. Li, “Heterogeneous graph neural networks for malicious behavior detection,” IEEE Transactions on Information Forensics and Security, vol. 17, pp. 3211–3224, 2022. [9] D. Arp, M. Spreitzenbarth, H. Gascon, K. Rieck, and C. Siemens, “DREBIN: Effective and explainable detection of Android malware in your pocket,” in Proc. NDSS, 2014. [10] H. S. Anderson and P. Roth, “EMBER: An open dataset for training static PE malware machine learning models,” arXiv preprint arXiv:1804.04637, 2018. [11] R. Jordaney, K. Sharad, S. Dash, and L. Cavallaro, “Transcend: Detecting concept drift in malware classification,” in Proc. USENIX Security Symposium, 2017. [12] M. Alasmary, A. Alhaidari, and A. Alzahrani, “Dynamic malware analysis using system-call dependency graphs,” Journal of Information Security and Applications, vol. 54, Art. no. 102547, 2020. [13] H. Peng, J. Li, and Y. Zhang, “Evading control flow graph–based graph neural network malware detectors,” Scientific Reports, vol. 15, Art. no. 11234, 2025. [14] D. Zügner and S. Günnemann, “Adversarial attacks on graph neural networks,” in Proc. ACM SIGKDD, 2019. [15] Y. You, T. Chen, Z. Wang, and Y. Shen, “Graph contrastive learning with augmentations,” in Proc. NeurIPS, 2020. [16] M. Ribeiro, S. Singh, and C. Guestrin, “Why should I trust you? Explaining the predictions of any classifier,” in Proc. ACM SIGKDD, 2016. [17] M. Egele, T. Scholte, E. Kirda, and C. Kruegel, “A survey on automated dynamic malware analysis techniques,” ACM Computing Surveys, vol. 44, no. 2, pp. 1–42, 2012. [18] W. Hamilton, Z. Ying, and J. Leskovec, “Inductive representation learning on large graphs,” in Proc. NeurIPS, 2017. [19] T. Kipf and M. Welling, “Semi-supervised classification with graph convolutional networks,” in Proc. ICLR, 2017. [20] P. Velickovic et al., “Graph attention networks,” in Proc. ICLR, 2018. [21] K. Xu et al., “How powerful are graph neural networks?” in Proc. ICLR, 2019. [22] Y. Li, D. Tarlow, M. Brockschmidt, and R. Zemel, “Gated graph sequence neural networks,” in Proc. ICLR, 2016. [23] S. Wu et al., “A comprehensive survey on graph neural networks,” IEEE Transactions on Neural Networks and Learning Systems, vol. 32, no. 1, pp. 4–24, 2021. [24] Z. Chen et al., “Temporal graph neural networks for dynamic malware detection,” Future Generation Computer Systems, vol. 140, pp. 34–45, 2023. [25] Y. Zhen, L. Wang, and H. Zhang, “A novel malware detection method based on audit logs and graph neural networks,” Computers & Security, vol. 132, Art. no. 103312, 2025. [26] F. Ahmed, H. Hameed, M. Z. Shafiq, and M. Farooq, “Using spatio-temporal information in API calls for malware detection,” in Proc. ACM CCS, 2009. [27] U. Bayer et al., “Scalable, behavior-based malware clustering,” in Proc. NDSS, 2009. [28] A. Rosenberg et al., “Explainable graph neural networks for cybersecurity applications,” IEEE Security & Privacy, vol. 20, no. 3, pp. 58–67, 2022. [29] S. Hou et al., “Explainable malware detection with graph neural networks,” Pattern Recognition, vol. 138, Art. no. 109370, 2023. [30] A. Singhal and X. Ou, “Security risk analysis of enterprise networks using probabilistic attack graphs,” IEEE Transactions on Dependable and Secure Computing, vol. 8, no. 3, pp. 417–430, 2011.

Author Contribution

The author(s) conducted the literature review, analyzed existing malware detection techniques, organized the findings, and wrote the manuscript. All authors reviewed and approved the final version of the manuscript.

Funding

This research received no external funding.

Software Information

Reference management and manuscript preparation were carried out using standard word processing and citation management tools.

Conflict of Interest

The authors declare no conflict of interest.

Acknowledge

Not applicable.

Data availability

No new data were created or analyzed in this study. Data sharing is not applicable to this article.