In a world dominated by digitalization, cybersecurity has emerged as one of the leading issues across sectors. As there is growing dependence on interconnected systems, the pattern of cyberattacks has changed from mere malware attacks to highly sophisticated Advanced Persistent Threats (APTs) [1], [2]. APTs are distinguished by their stealthy, long-lasting nature, and focused approach, usually coordinated by well-organized groups targeting critical infrastructures, financial agencies, or governmental institutions [3].

Conventional cybersecurity measures like signature-based antivirus software or simple anomaly detection mechanisms find it difficult to identify such advanced attacks, particularly in their initial phases [4]. The main reason is that APTs work in multiple phases — initial compromise, lateral movement, data extraction — each utilizing different methods and dealing with different objects like files, IP addresses, vulnerabilities, and malware [5]. Therefore, detecting and attributing APT attacks not only means identifying malicious patterns but also realizing the intricate interdependencies between various indicators of compromise (IoCs).

The latest developments in Graph Neural Networks (GNNs) have created new possibilities for cybersecurity in that systems can now capture intricate relationships among disparate data points [6]. In particular, Heterogeneous Graph Neural Networks (HGNNs) offer the flexibility to represent diverse kinds of nodes (e.g., malwares, APT groups, vulnerabilities, APIs) and edges (e.g., "uses", "exploits", "belongs to") within a single framework [7]. This multimodal merging offers an integrated perspective towards cyber activities and strengthens the performance of detection as well as attribution.

But the use of sophisticated models such as HGNNs introduces new issues of trust and interpretability. In the absence of adequate explainability, security analysts will be reluctant to trust AI-based threat detection systems, particularly in high-risk settings [8]. To mitigate this, Explainable AI (XAI) methods, including SHAP (SHapley Additive exPlanations) and LIME (Local Interpretable Model-agnostic Explanations), are incorporated to deliver transparent and interpretable explanations of model predictions.

The initial cyber threat detection techniques were mostly based on conventional signature-based mechanisms, which were inadequate to respond to zero-day attacks and adaptive attackers [9]. The static nature of these systems usually led to prompt detection or outright failure against sophisticated Advanced Persistent Threats (APTs), pointing towards the requirement of more dynamic and smart mechanisms for identifying unknown patterns of attack.

Graph-based models have come to be recognized as a better approach to modeling cyber threats, as they are capable of modeling complex relationships among varied cybersecurity objects like users, files, vulnerabilities, and attack patterns [10]. With nodes and edges being used to denote these objects and interactions, graph neural networks (GNNs) can better learn latent patterns and identify abnormal behavior compared to flat feature-based models.

In the last few years, Heterogeneous Graph Neural Networks (HGNNs) have been researched for cyber threat analysis where various kinds of nodes and relationships are present [11]. While traditional homogeneous GNNs consider all entities as the same, HGNNs are able to discern malware, APT groups, vulnerabilities, and platforms, resulting in a more precise and context-based threat detection system that reflects the intricate nature of cybersecurity data.

Explainable AI methodologies have found their way into the world of cybersecurity to fill the gap for trust issues commonly linked with sophisticated deep learning algorithms [12]. Models such as SHAP offer feature attribution explanations, enabling analysts to know why a particular alert or prediction was generated. Transparency is important in such operational scenarios where decisions are required to be validated prior to action.

Fusion of multimodal data sources has been demonstrated to considerably improve the efficacy of cyber threat detection systems [13]. Data fusion from static malware features, dynamic behavior, network flows, and API call sequences allows the models to learn complementary information that would otherwise go unnoticed when only one modality is considered.

Advanced research has also been aimed at anomaly detection models specifically designed for cybersecurity, including Isolation Forests and Autoencoders, that assist in marking abnormal behavior even when clear attack signatures are absent [14]. These unsupervised techniques have been shown to be useful in detecting novel APT behavior based on deviation from learned normal patterns.

Researchers have introduced hybrid graph-based and sequence-based models to overcome the shortcomings of separate approaches [15]. By concurrently modeling graph structure for inter-entity relationships and sequence data for the progression of events, these models seek to describe both spatial and temporal characteristics of cyber attacks and thus improve detection accuracy.

Another important development in cyber threat attribution is the application of graph embedding methods, in which nodes are mapped into a lower-dimensional representation while maintaining structural information [16]. This makes it easier to cluster and classify malwares and threat actors and map faster and more accurately between observed artifacts and known APT groups.

Cross-platform malware analysis has been tackled by building integrated graph representations that include behaviors from various operating systems [17]. These approaches assist in identifying APTs that initiate coordinated attacks against multiple environments, improving the generalization capability of detection models.

The integration of Transformer models with graph-based learning has been suggested as a new approach to cyber threat intelligence [18]. Transformers focus exceptionally well on capturing long-distance dependencies, and their union-based fusion with graph learning offers a very strong means to comprehend intricate multi-hop attack schemes common to APT campaigns.

Latest solutions have utilized federated learning to construct collaborative malware detection models without the exchange of sensitive information across organizations [19]. This not only maintains data privacy but also enhances the global threat intelligence at the disposal of each participant, thus enhancing early-stage APT detection.

The application of attention mechanisms in GNNs has been researched to give importance to essential nodes and edges while identifying cyber threats [20]. By applying dynamic attention weights, the model can emphasize significant threat indicators and reduce noise from irrelevant edges, resulting in increased detection accuracy.

Efforts have been made to develop explainable graph-based models with the explanation module embedded within the GNN structure itself [21]. This enables the system not only to yield a detection or attribution decision but also an understandable reasoning path, which is of great value for cybersecurity analysts while investigating. Data augmentation methods such as graph perturbations have been investigated in order to robustify HGNN models against adversarial attacks [22]. By reproducing possible attack manipulations in training, these models are able to perform at high accuracy even when actual-world attackers make the effort to circumvent detection by changing malware behaviors.

Multimodal adversarial attacks against various feature spaces at once have been researched in the cybersecurity context [23]. It is necessary to understand these threats in order to create robust detection systems that can resist concerted efforts to mislead multiple tiers of threat intelligence mechanisms.

Another recent research in 2024 suggested employing large language models (LLMs) such as GPT in combination with cyber knowledge graphs to aid real-time APT detection and explanation [24]. The LLMs serve as a reasoning engine on top of the structured threat intelligence graphs, providing fast, explainable, and proactive cybersecurity advice.

The proposed methodology integrates malware detection, classification, and attribution using a Heterogeneous Graph Attention Network (GAT) with Explainable AI.

A. Data Collection and Feature Extraction

Malware reports are retrieved from VirusTotal using SHA 256 hashes. Each report yields attributes such as:

• d: number of AV engines detecting malware

• t: total number of AV engines used

• - (1)

Other features include file metadata, API calls, and binary characteristics.

Datasets from multiple sources (APT labels, entry points, executable type, languages) are joined into a unified table. Categorical features are one-hot encoded, and class imbalance is addressed using SMOTE.

Let X ∈ be the feature matrix and y ∈ {0,1}ⁿ be the label vector. After SMOTE:

C. Graph Construction and Node Mapping

define a heterogeneous graph G = (V,E) where:

• V ={v_i} includes malware samples, APT groups, and platforms

• E = {(v_i,v_j,r_k)} where rk denotes edge types (e.g., attributed_to, targets_on)

Adjacency matrices A^r are formed for each edge type r, creating multi-relational input for GAT.

D. Heterogeneous GAT Model Training

Each node v_i is associated with a feature vector hi. For a given node and relation type r, attention coefficients between node i and neighbour j are computed as:

E. Risk Scoring and Classification

After training, each malware node has an embedding zi, passed to a classifier:

The probability score pi for class 1 (malicious) is compared against a threshold θ:

F. Explainability using SHAP

To enhance interpretability, use SHAP to compute feature contributions:

Where: - F is the set of all features - f(S) is the model output when only features in S are present - ϕj is the SHAP value for feature j

F. Algorithm: Detection Pipeline

This pipeline supports proactive threat detection and attribution using graph-based deep learning with post-hoc explainability.

i) Reports Extraction from VirusTotal using Hashes

In this research, used a dataset called overview.csv, which holds hash values (namely file hashes corresponding to malware samples). Each hash was used as an identifier to fetch detailed reports of analysis from the VirusTotal platform. VirusTotal, being a well-reputed threat intelligence aggregator, yielded rich metadata like malware family labels, detection ratios, behaviour analysis, and corresponding file characteristics as shown in below Fig. 3. Upon fetching the reports, the extracted data allowed us to construct a more comprehensive feature set capturing the behaviour and threat indicators of each sample. This added layer of threat intelligence greatly improved the context for every cyber event captured in this dataset.

With the enriched data, executed the following analysis:

• Mapped APT with Malware:

By training on attack patterns, same behavioural changes and attack behaviours have mapped APT with malware using heterogeneous graph neural network.

• Anomaly Detection and Predictive Analysis:

By training on extracted features such as API call patterns, detection counts, file types, and behavioural scores, It was possible to detect anomalous behaviour indicative of future cyber-attacks with accuracy. The predictive models showed excellent performance, detecting arriving attacks with certainty before they had a chance to escalate.

• Cross-Platform Malware Attribution:

Taking advantage of heterogeneous graph building using malware sample nodes, corresponding behaviours, and platform-based attributes (Windows, Linux, Android), using an HGNN-based approach. enabling successfully attribute malware samples to their respective Advanced Persistent Threat (APT) groups, even between different operating systems. Graph structure allowed us to capture intricate relationships between objects that are not present in flat conventional models.

• Explainable AI Analysis:

In order to enhance the interpretability of the predictive models,using SHAP (SHapley Additive exPlanations) for the detection and attribution results. Explainable analysis yielded direct insight into which features — like detection ratio, malware type, or behavioural anomalies — had the most impact on the model's predictions. Such transparency is important to enable cybersecurity practitioners to have confidence and take action on automated threat intelligence.

ii) Generating the Sub Datasets (like APT Groups, Executables, Entry Points, etc.) and merged as a final dataset

To construct a robust dataset for analysis, employed a systematic multi-stage methodology. The process began with the creation of sub-datasets centered around specific attributes extracted from VirusTotal reports and additional threat intelligence sources.

The sub-datasets comprised the following essential elements:

Once created these disparate sub-datasets, ran a merge step based on the unique resource hash (SHA-256 hash) as the master key. Figure 4 shows the merged final dataset brought together all the extracted features into one cohesive structured format for easy analysis and model training.

iii) Enhance Model Performance using Heterogenous Graph Neural Network.

The Given Fig. 5. shows in order to gauge the baseline accuracy on the merged dataset, The Random Forest (RF) classifier is employed. The Random Forest model yielded an initial accuracy of 58.09%, showing limited predictive capacity because of the intricate, multi-relational feature nature. Subsequently hyperparameter tuning on the Random Forest model by optimizing parameters like the number of trees, depth, and feature selection methods. Upon hyperparameter optimization, the accuracy of the model increased drastically to 84.20%. But further refinement was limited by the intrinsic drawback of tree-based models in processing non-Euclidean, heterogeneous data structures.

Noting the heterogeneity of the features extracted—having text data (languages, libraries), numerical data (entry points), and categorical mappings (APT groups)—A shift was made to a Neural Network (NN) oriented approach. While the Neural Network model better captured nonlinear relationships compared to Random Forest, it still processed the data as flat and independent, failing to capture the relational dependencies between entities like resources, languages, and libraries.

To more effectively capture the intricate interactions and heterogeneous relationships, A Heterogeneous Graph Neural Network (HGNN) architecture was employed. In the built heterogeneous graph:

• Nodes were used to represent entities like malware samples, APT groups, languages, libraries, and entry points.

• Edges were used to capture the relationships between these entities, like "sample-uses-library" or "sample-belongs-to-APT."

The HGNN was trained to learn embeddings over this dense graph structure, using both node features and inter-node relations. Consequently, the Heterogeneous Graph Neural Network had a final accuracy of 98.52%, which constituted a significant improvement on conventional machine learning models. Such a shift in modeling methodology—from two-dimensional classifiers towards graph-based learning—emphasized the fundamental significance of taking advantage of the inherent relational structure of cybersecurity data in order to gain better prediction performance.

iv) Mapping of APT Groups with Malwares

To improve the level of granularity in threat attribution and analysis, Malware samples were mapped to their respective Advanced Persistent Threat (APT) groups with a high level of detail. The mapping was mostly derived from observed attack patterns, malware behavior, techniques used, and derived threat intelligence gathered from VirusTotal reports and open-source cybersecurity databases. Every malware sample, represented by its SHA-256 hash, was linked to several attributes such as its detection count, malware family, first seen date, behavior tags, applicable CVEs (Common Vulnerabilities and Exposures), and its suspected or known APT group affiliation. As shown in Fig. 6. below-

The mapped dataset was instrumental in facilitating downstream operations, namely:

• Anomaly Detection:

• Predictive Analysis:

• Cross-Platform Attribution:

This organized mapping of malware artifacts to APT groups greatly enhanced the explainability, accuracy, and strategic value of the threat intelligence models created in this research.

v) Anomaly Detection and Predictive analysis

To facilitate proactive cybersecurity analysis, Anomaly detection and predictive analytics were performed on the constructed malware-APT-platform graph.Above Fig. 7 shows the predictive analysis by generating the risk score of malwares also implemented detection of anomaly/malware and moved to quarantine folder.

The procedure entailed a number of systematic steps:

1. Firstly, malware analysis information was uploaded from a CSV file and preprocessed, wherein missing fields like CVEs were replaced by "Unknown" values. Primary columns like SHA256, Malware Family, Tags, and APT Group were chosen to establish relationships between entities.

2. A heterogeneous graph was built using NetworkX, showing malware samples, APT groups, and target platforms (Windows, Linux, etc.). Malware nodes were linked to APT groups through the "attributed_to" relationship and to platforms through the "targets" relationship. Specific logic was used to identify platforms from malware tags and names.

3. The built NetworkX graph was subsequently converted into a PyTorch Geometric compatible format. Node features were set to be initialized as padded vectors of size 128, and binary labels (0 = benign, 1 = APT-related) were allocated. For class imbalance handling, SMOTE over-sampling and Random Under Sampling were utilized, and then the graph structure was accordingly updated.

4. To detect anomalies, a Graph Convolutional Network (GCN) model was created, including two GCNConv layers, ReLU activation, dropout regularization, and weighted CrossEntropyLoss to emphasize APT-oriented node detection. The model was trained and validated via train-test split strategy, and Adam optimizer was used to optimize.

5. Moreover, file-handling operations were created to isolate malware threats according to their SHA256 hashes. A new module was also added for cross-platform tracing of threats on various operating systems.

6. Lastly, to provide better explainability, SHAP (SHapley Additive exPlanations) analysis was conducted, yielding comprehensible insights regarding how certain instances of malware were linked to APT groups and target platforms.

vi) Cross Platform Attribution

identified malicious objects. After the malware samples were alerted as anomalous based on the heterogeneous GNN model, a platform attribution operation was initiated. The analysis took advantage of the malware's connections traced in the heterogeneous graph as shown in Fig. 8 - namely, the "targets" edges between malware samples and particular platforms like Windows, Linux, Android, and macOS. For every anomalous node (malware sample) identified, its respective platform(s) were determined based on its tags, behaviors, and first-seen attributes gathered from VirusTotal reports. The system also supported tracking the footprint of the malware across multiple platforms, thereby pinpointing malware variants with cross-platform behavior. Whenever a malware instance was associated with multiple platforms (e.g., Windows and Linux), it was marked for greater threat consideration given its broader attack surface. This cross-platform tracing not only facilitated improved insight into the propagation of the threat but also fed important input for mitigation tactics, particularly in hybrid infrastructure scenarios. With this approach, organizations could order containment steps according to the platform scope of the malware, greatly enhancing incident response effectiveness.

vii) Analysis of Malware using Explainable AI (using SHAP)

As shown in Fig. 9 To enhance the interpretability of the anomaly detection outcomes, Explainable AI (XAI) methods, specifically SHAP (SHapley Additive exPlanations), were integrated.to examine malware activity and model choices. Following the GNN-based anomaly detection, SHAP values were calculated to determine the contribution of every feature towards a malware sample being labeled as anomalous. Features like the family of the malware, related APT group, targeted platform, detections count, and CVE details were analyzed. The SHAP analysis gave After the anomaly detection step, conducted an in-depth cross-platform analysis of the

local explanations for each prediction and global explanations throughout the dataset. For example, malware samples associated with multiple CVEs, known APT groups, or targeting multiple platforms had higher SHAP scores, which showed greater influences on anomalous classification. This interpretability enabled security analysts not only to comprehend why a specific sample was flagged as anomalous but also to rank threats according to explainable reasons like exploitation complexity, known vulnerabilities, and cross-platform reach. In general, including SHAP improved the transparency of our machine learning pipeline, facilitating trust and actionable insights for real-world cybersecurity operations.

Table 1. Comparison with Existing model

Table 1. showcases an overall comparison between the designed Heterogeneous Graph Neural Network (HGNN) and previous models traditionally utilized for malware detection and cyber threat analysis. Machine learning algorithms, including the Random Forest model, recorded a baseline accuracy of 58.09%, while its performance improved to 84.20% when hyperparameter optimization was done. Although a simple Neural Network model further increased accuracy to about 88.50%, it lacked explainability and cross-platform suitability.

Graph-based methods such as the Graph Convolutional Network (GCN) [6] and Heterogeneous Attention Network (HAN) [25] achieved improved accuracy rates of 91.30% and 94.20%, respectively, by utilizing relational information from the data. They were, however, restricted from enabling comprehensive explainability and comprehensive cross-platform malware analysis. By comparison, the developed HGNN model had an accuracy of 98.52%, far surpassing the baseline models. In addition, it provided improved explainability using SHAP-based analysis and uniquely supported cross-platform malware attribution, such as Windows, Linux, and Android targets. This all-encompassing modeling shows the strength of heterogeneous graph structures in real-world cybersecurity tasks, outperforming previous state-of-the-art techniques.

Table 2. shows, the suggested Heterogeneous Graph Neural Network model obtained an impressive performance improvement compared to current methods. From Table 1, the proposed HAN [25] requires only a multi-type graph and obtained 92.1% accuracy. The Graph-Based Behavioral Malware Detection [26] Malware Detection using GNNs obtained 86.5% accuracy[27]

Deep learning-based intrusion detection methods using CNNs and RNNs [28] reported 91.2% accuracy on cyber security datasets. In contrast to this, Proposed HGNN model, utilizing a well-built dataset of hash values, malware families, CVEs, entry points, libraries, and language details obtained from VirusTotal and overview.csv, delivered a better accuracy of 98.52% and an F1-Score of 97.88%. Early experiments with Random Forest models achieved 58.09% accuracy, which rose to 84.20% afte hyperparameter tuning. Nonetheless, because of the heterogeneity of the malware data, using a heterogeneous GNN architecture allowed for better capturing of intricate relationships between malwares.

Figure 10: Comparison of Proposed model with Existing model

Furthermore, incorporating Explainable AI techniques like SHAP also improved the explainability of the predictions by describing feature importance and attack attributions.

This research effectively illustrates the use of heterogeneous graph-based modeling for interpretable and accurate cyber threat attribution. Through the integration of various modalities of threat intelligence, including malware static features, APT group labels, entry points, libraries, and VirusTotal metadata, a common heterogeneous graph structure was built. Classic machine learning algorithms such as Random Forests achieved minor accuracy gains (58.09–84.20%), whereas our transition towards an HGNN framework remarkably increased the accuracy to 98.52%, pointing towards its capability to identify intricate interdependencies among entities such as malware, APT groups, and platforms. Anomaly detection and predictive analysis across the graph enriched the system's ability to detect new threats and suspicious patterns, even in underrepresented or changing attack situations. Cross-platform malware tracing and SHAP-based explainability guaranteed that the attributions were not only correct but also interpretable and actionable. The addition of graph-based relationships like attributed_to, targets, and detected_on provided semantic richness and real-world utility to the model. This effort provides a solid groundwork for developing future-generation cyber attribution systems that merge the capabilities of graph neural networks with threat intelligence and explainable AI.