TY - M-10423
AU - S, Yogesh
AU - E, Sheela
TI - Behavioral Drift–Aware Malware Detection: A Survey of Graph Neural Networks for Explainable and Operational Deployment
T2 - Scientific Research Journal of Science, Engineering and Technology

PY - 2026
VL - 4
IS - 1
SN - 2584-0584

AB - Modern
malware uses more and more advanced evasion techniques, like packing,
polymorphism, fileless execution, reflective loading, and living-off-the-land
behaviors. This makes traditional signature-based and static detection methods
much less effective. Dynamic behavioral analysis—recording API and system-call
traces, process interactions, memory activities, and network events—offers
deeper semantic understanding of runtime malware behavior, yet generates highly
structured, noisy, and evolving data. To tackle this issue, graph-based
representations such as API-call graphs, control-flow graphs, system dependency
graphs, and heterogeneous process-resource graphs have proven to be effective
abstractions for modeling malware behavior.Graph Neural Networks (GNNs), which
include convolutional, attention-based, temporal, and self-supervised types,
have shown that they can find new types of malware and variants that act
similarly to existing ones. Nonetheless, behavioral and conceptual drift,
adversarial graph manipulation, restricted explainability, scalable graph
extraction, and real-time deployment limitations persist as significant
obstacles to operational implementation.This survey methodically examines
GNN-based malware detection research published from 2020 to 2025, focusing
specifically on drift-aware learning, explainable GNN models, and deployment-oriented
factors. We classify current research based on graph construction strategies,
GNN architectures, self-supervised and contrastive learning methodologies,
robustness mechanisms, and evaluation protocols. Lastly, we talk about open
research problems and suggest ways to move forward in creating GNN-based
malware defense systems that are strong, easy to understand, and can be used in
the real world.

KW - GNN
KW - malware detection
KW - Behavioral Drift
KW - Concept Drift;
KW - Dynamic MalwareAnalysis
KW - Explainable AI; Adversarial Malware
KW - Graph Learning; Security Analytics
DO -