Prompt Engineering-assisted Malware Dynamic Analysis Using GPT-4

TL;DR

This paper introduces a novel malware detection approach that leverages GPT-4 for API call explanation and BERT for representation, resulting in improved generalization and detection performance across multiple datasets.

Contribution

The method uniquely combines GPT-4 prompt engineering with BERT to generate API call representations without dataset training, enhancing malware detection accuracy and generalization.

Findings

Outperforms state-of-the-art TextCNN in detection accuracy.

Achieves nearly 100% recall in malware detection.

Demonstrates strong generalization in cross-database and few-shot scenarios.

Abstract

Dynamic analysis methods effectively identify shelled, wrapped, or obfuscated malware, thereby preventing them from invading computers. As a significant representation of dynamic malware behavior, the API (Application Programming Interface) sequence, comprised of consecutive API calls, has progressively become the dominant feature of dynamic analysis methods. Though there have been numerous deep learning models for malware detection based on API sequences, the quality of API call representations produced by those models is limited. These models cannot generate representations for unknown API calls, which weakens both the detection performance and the generalization. Further, the concept drift phenomenon of API calls is prominent. To tackle these issues, we introduce a prompt engineering-assisted malware dynamic analysis using GPT-4. In this method, GPT-4 is employed to create explanatory text for each API call within the API sequence. Afterward, the pre-trained language model BERT is used to obtain the representation of the text, from which we derive the representation of the API sequence. Theoretically, this proposed method is capable of generating representations for all API calls, excluding the necessity for dataset training during the generation process. Utilizing the representation, a CNN-based detection model is designed to extract the feature. We adopt five benchmark datasets to validate the performance of the proposed model. The experimental results reveal that the proposed detection algorithm performs better than the state-of-the-art method (TextCNN). Specifically, in cross-database experiments and few-shot learning experiments, the proposed model achieves excellent detection performance and almost a 100% recall rate for malware, verifying its superior generalization performance. The code is available at: github.com/yan-scnu/Prompted_Dynamic_Detection.