XG-BoT: An Explainable Deep Graph Neural Network for Botnet Detection and Forensics

In this paper, we propose XG-BoT, an explainable deep graph neural network model for botnet node detection. The proposed model is mainly composed of a botnet detector and an explainer for automatic forensics. The XG-BoT detector can effectively detect malicious botnet nodes under large-scale networks. Specifically, it utilizes a grouped reversible residual connection with a graph isomorphism network to learn expressive node representations from the botnet communication graphs. The explainer in XG-BoT can perform automatic network forensics by highlighting suspicious network flows and related botnet nodes. We evaluated XG-BoT based on real-world, large-scale botnet network graph datasets. Overall, XG-BoT is able to outperform the state-of-the-art in terms of key evaluation metrics. In addition, we show that the XG-BoT explainer can generate useful explanations based on GNNExplainer and saliency map for automatic network forensics.