Rule Extraction and Interaction-Aware Explainability for AI-Driven Malware Detection

Abstract

As machine learning becomes integral to malware detection, the demand for interpretability has become critical, not only to understand model decisions, but also to support actionable insights for analysts. While post-hoc techniques like SHAP, LIME, and Anchor offer feature attributions or instance-level rules, they fail to capture generalized semantic patterns across malware samples. To address this, we propose a unified and extensible explainability framework for binarized malware features, offering three levels of interpretability: (1) first-order explanations (individual feature effects), (2) second-order explanations (pairwise interactions revealing nonlinear dependencies), and (3) higher-order, rule-based explanations that formalize joint feature contributions for deeper analytical insight. Our framework builds on an MLP-based detector trained on the EMBER dataset. It first uses SHAP to assess global feature relevance and then introduces two key extensions: (i) a SHAP-based interaction formalism that reveals synergistic and antagonistic effects among features, and (ii) a generalized Anchor algorithm that extracts symbolic, reusable rules to illuminate model behavior and malware patterns. Our global rules achieve an F1 score of 83% on EMBER and perfectly reconstruct nonlinear decision boundaries in synthetic benchmarks (100% F1 on the XoR dataset). Analysis of EMBER’s extracted rules reveals that the black-box model’s logic often relies on structural anomalies, prioritizing statistical patterns rather than capturing meaningful behavioral patterns indicative of known malware tactics.