With the rapid growth of Android malware, many machine learning-based malware analysis approaches are proposed to mitigate the severe phenomenon. However, such classifiers are opaque, non-intuitive, and difficult for analysts to understand the inner decision reason. For this reason, a variety of explanation approaches are proposed to interpret predictions by providing important features. Unfortunately, the explanation results obtained in the malware analysis domain cannot achieve a consensus in general, which makes the analysts confused about whether they can trust such results. In this work, we propose principled guidelines to assess the quality of five explanation approaches by designing three critical quantitative metrics to measure their stability, robustness, and effectiveness. Furthermore, we collect five widely-used malware datasets and apply the explanation approaches on them in two tasks, including malware detection and familial identification. Based on the generated explanation results, we conduct a sanity check of such explanation approaches in terms of the three metrics. The results demonstrate that our metrics can assess the explanation approaches and help us obtain the knowledge of most typical malicious behaviors for malware analysis.

中文翻译：

---

我们可以相信你的解释吗？ Android 恶意软件分析中解释器的健全性检查


随着Android恶意软件的快速增长，许多基于机器学习的恶意软件分析方法被提出来缓解这种严重的现象。然而，这样的分类器不透明、不直观，分析师很难理解其内在的决策原因。因此，提出了多种解释方法来通过提供重要特征来解释预测。不幸的是，恶意软件分析领域获得的解释结果总体上无法达成共识，这使得分析人员对于是否可以相信这样的结果感到困惑。在这项工作中，我们提出了原则性指南，通过设计三个关键的定量指标来衡量五种解释方法的稳定性、稳健性和有效性，从而评估其质量。此外，我们收集了五个广泛使用的恶意软件数据集，并将解释方法应用于两项任务，包括恶意软件检测和家族识别。根据生成的解释结果，我们根据三个指标对此类解释方法进行健全性检查。结果表明，我们的指标可以评估解释方法，并帮助我们了解最典型的恶意行为以进行恶意软件分析。