GraphShield: advanced dynamic graph-based malware detection using graph neural networks

The rising complexity of modern malware—such as polymorphic, fileless, and sandbox-aware variants—has severely diminished the reliability of conventional detection techniques. Models based on sequential data frequently miss intricate behavioral patterns and long-range dependencies, resulting in poor accuracy and limited adaptability to new threats. This paper introduces GraphShield, a graph-centric behavioral detection framework that identifies malware with high precision by analyzing dynamic API call sequences. GraphShield converts raw API calls into temporal graphs, applies semantic vectorization, and leverages attention mechanisms to extract both localized activity and extended behavioral correlations, directly addressing the weaknesses of earlier systems. We design and assess multiple Graph Neural Network (GNN) variants, including Graph Convolutional Networks (GCNs), Graph Attention Networks (GATs), Graph Isomorphism Networks (GINs), and Transformer-based architectures combining convolutional, recurrent, and autoencoding layers. These models capture structural and temporal traits of execution traces using both classification-only and combined classification-reconstruction strategies. To enhance transparency, we incorporate GNN interpretation tools that isolate key API call subgraphs and critical decision pathways, making detection outcomes explainable for analysts. GraphShield is trained on 300,000 balanced instances and tested on a separate 200,000-sample holdout set, achieving over 58% improvement in accuracy over advanced sequence-driven deep learning models while maintaining a false positive rate under 1%. Key features include BERT-based API call grouping for reducing dimensionality and a Markov-inspired graph stabilization method for managing graphs of variable length. Our top models attain a 99.5% F1-score on the test set. GraphShield aligns recent graph learning techniques with operational cybersecurity needs, delivering accurate detection and clear, interpretable results.