In this paper, we propose XG-BoT, an explainable deep graph neural network
model, for botnet node detection. The proposed model is composed of a botnet
detector and an explainer for automatic forensics. The XG-BoT detector can
effectively detect malicious botnet nodes under large-scale networks.
Specifically, it utilises a grouped reversible residual connection with a graph
isomorphism network to learn expressive node representations from the botnet
communication graphs. The explainer, which is based on the GNNExplainer and
saliency map in XG-BoT, can perform automatic network forensics by highlighting
suspicious network flows and related botnet nodes. We evaluated XG-BoT based on
real-world, large-scale botnet network graph datasets. Overall, XG-BoT is able
to outperform the state-of-the-art approaches in terms of the key evaluation
metrics. In addition, we show that the XG-BoT explainers can generate useful
explanations for automatic network forensics.