MalNet Graph Database for Malware Analysis

• MalNet is a comprehensive graph dataset comprising 1.26M non-attributed function call graphs from Android malware, annotated with a hierarchical 47-type and 696-family labeling scheme.
• It offers unprecedented scale and diversity compared to existing datasets, facilitating advanced research in imbalanced classification, explainability, and benchmarking of graph neural networks.
• The resource supports both full-scale and compact versions, enabling researchers to benchmark methods on large real-world data and conduct rapid prototyping with a balanced subset.

MalNet is the largest publicly available graph database designed to advance research in graph representation learning, particularly focused on malicious software analysis. Comprising over 1.2 million function call graphs derived from Android malware, MalNet introduces unprecedented scale and hierarchical depth, supporting rigorous benchmarking of graph neural networks and related machine learning techniques in classification, imbalanced learning, and interpretability tasks (Freitas et al., 2020).

1. Dataset Composition and Organization

MalNet consists of 1,262,024 function call graphs constructed from Android application samples. Each individual graph averages 15,378 nodes and 35,167 edges, stored in standard edge list format and amounting to 443 GB of disk space.

The labeling hierarchy comprises:

• 47 graph types: Broad malware categories (e.g., Adware, Trojan).
• 696 families: More granular subtypes within each malware category.

MalNet samples include rich annotation:

• VirusTotal reports up to 70 antivirus labels per APK.
• Hierarchical type–family class structure.
• All graph data is provided in standard formats.

Summarized dataset statistics: | Statistic | Value | |-------------------------|-------------------------------| | Number of graphs | 1,262,024 | | Avg. nodes per graph | 15,378 | | Avg. edges per graph | 35,167 | | Types (coarse classes) | 47 | | Families (fine classes) | 696 |

Let $G$ denote the number of graphs, $\bar{n}$ the average number of nodes, and $\bar{e}$ the average number of edges:

$$G \approx 1.26 \times 10^6, \quad \bar{n} \approx 15,378, \quad \bar{e} \approx 35,167$$

2. Comparative Analysis with Existing Graph Datasets

MalNet greatly exceeds existing datasets in scale and diversity. For context, the REDDIT-12K dataset contains:

• 12,000 graphs (MalNet: 105× more)
• Avg. graph size: much smaller (MalNet: 39× larger)
• Classes: 12 (MalNet: 63× more)

This scale enables research scenarios that cannot be modeled in previous benchmarks, particularly in dealing with class imbalance and rare subtypes as well as noise and heterogeneity inherent in real-world graphs.

3. Research Applications and Opportunities

The properties of MalNet open significant avenues for research:

• Imbalanced Classification: The distribution is naturally long-tailed, with certain types containing hundreds of thousands of samples while rare families have as few as ~100. This allows for evaluation of algorithms designed to improve generalization in the presence of severe imbalance.
• Explainability: The diverse graph structures and significant performance variance across classes (as illustrated by class-wise macro-F1 heatmaps) make MalNet suitable for studies in explainable ML, especially explaining model failures on hard classes.
• Class Hardness: MalNet’s shift from 47 type-level to 696 family-level classes offers direct evidence for the impact of class diversity; all evaluated methods show marked decline in macro-F1 when moving to family-level classification (Feather drops from 0.41 to 0.34), motivating inquiry into class hardness and the limits of current approaches.
• Benchmarking Graph Methods: Enables the systematic evaluation of graph learning methods (e.g., GNNs and feature-based baselines) under large-scale, non-attributed graph regimes.

The authors additionally provide "MalNet-Tiny"—5000 graphs with 5 balanced types, facilitating rapid prototyping and methodological testing in a lower-resource setting.

4. Baseline Methods and Evaluation Protocols

MalNet’s evaluation framework comprises seven graph representation methods:

• Graph Neural Networks (GNNs): GCN, GIN.
• Feature-based/Efficient Embeddings: Local Degree Profile (LDP), NoG, Feather, Slaq-VNGE, Slaq-LSD.

Splits are performed 70/10/20 (train/validation/test) at both type and family levels, with consistent splits for MalNet-Tiny. Metrics include macro-F1, precision, and recall.

Key findings:

• Simple baseline approaches such as LDP and NoG (degree-based, histogram features) can match or surpass GNNs for family-level tasks in some settings.
• Extraction and representation of non-attributed, large graphs allow evaluation of graph algorithms independent of node/edge feature availability.

5. Accessibility, Licensing, and Tooling

MalNet is distributed under a CC-BY license:

• Full graph data and meta-information are downloadable from www.mal-net.org.
• Extraction code, experimental pipelines, and utility scripts are available at https://github.com/safreita1/malnet-graph.
• The MalNet Explorer is a web-based interactive visualization tool supporting direct inspection of graph structures and classes.

Table: Resource Availability in MalNet | Resource | Format/Access | Location | |-----------------|---------------------------------|---------------------------------| | Graphs | Edge list (+VirusTotal) | www.mal-net.org | | Code/pipelines | Python/Jupyter | GitHub (malnet-graph) | | Explorer Tool | Web demo | www.mal-net.org/explorer |

6. Implications and Future Directions

MalNet’s scale, complexity, and diversity underpin several frontiers:

• Imbalanced and Multi-class Learning: Direct support for algorithmic development targeting long-tailed distributions, including meta-learning, cost-sensitive learning, and advanced sampling.
• Explainable and Robust ML: Fine-grained class performance data and diverse structure allow studies of interpretability and robustness.
• Graph Topology Studies: MalNet can drive theoretical research into real-world graph properties, such as motif distributions, community structures, and their relation to malware semantics.
• Evolutionary Adaptation: The continuous expansion promise of MalNet, aligning with emerging threats and Android ecosystem evolution, provides an evergreen testbed for real-world deployment scenarios.

A plausible implication is that MalNet, due to its hierarchical labeling and large scale, will become the de facto standard for benchmarking graph classification models in security and related domains.

7. Common Misconceptions and Clarifications

A frequent misconception is that MalNet provides attributed graphs suitable for attribute-centric GNN evaluation. In reality, the initial release comprises non-attributed function call graphs, with all nodes and edges described solely by structural connectivity. Methods requiring rich node attributes must adapt—often by extracting features (e.g., degree profiles, motif counts) from the raw graph structures themselves.

Another misconception concerns the balance and class distributions; MalNet, by design, includes severe class imbalance, necessitating explicit algorithmic handling for realistic evaluation.

---

MalNet advances graph representation learning with unprecedented scale and hierarchical label diversity. Through both full and tiny versions, it supports benchmarking, algorithm development, explainability studies, and multi-class, imbalanced learning, anchoring future research in robust, real-world graph data.