This work addresses two key challenges—interpretability and explanation consistency—in control-flow-graph (CFG)-based malware detection using graph neural networks (GNNs). To tackle them, we propose a rule-driven dynamic CFG construction method that integrates expert-crafted rules with autoencoder-derived node embeddings for feature generation. We further design RankFusion, a multi-explainer aggregation mechanism, and Greedy Edge-wise Composition (GEC), a subgraph extraction strategy, enabling the first systematic evaluation and enhancement of explanation consistency in GNN-based malware detection. Experiments demonstrate significant improvements over baselines in detection accuracy, explanation fidelity, and consistency metrics. RankFusion and GEC jointly enhance structural coherence and explanatory reliability. Our approach establishes verifiable explanation boundaries, advancing trustworthy GNN deployment in security-critical applications.

Control Flow Graphs (CFGs) are critical for analyzing program execution and characterizing malware behavior. With the growing adoption of Graph Neural Networks (GNNs), CFG-based representations have proven highly effective for malware detection. This study proposes a novel framework that dynamically constructs CFGs and embeds node features using a hybrid approach combining rule-based encoding and autoencoder-based embedding. A GNN-based classifier is then constructed to detect malicious behavior from the resulting graph representations. To improve model interpretability, we apply state-of-the-art explainability techniques, including GNNExplainer, PGExplainer, and CaptumExplainer, the latter is utilized three attribution methods: Integrated Gradients, Guided Backpropagation, and Saliency. In addition, we introduce a novel aggregation method, called RankFusion, that integrates the outputs of the top-performing explainers to enhance the explanation quality. We also evaluate explanations using two subgraph extraction strategies, including the proposed Greedy Edge-wise Composition (GEC) method for improved structural coherence. A comprehensive evaluation using accuracy, fidelity, and consistency metrics demonstrates the effectiveness of the proposed framework in terms of accurate identification of malware samples and generating reliable and interpretable explanations.