Feasibility Study for Supporting Static Malware Analysis Using LLM

TL;DR

This study explores the potential of large language models to assist static malware analysis by evaluating their explanation accuracy and practical usability through experiments with cybersecurity analysts.

Contribution

It demonstrates the feasibility of using LLMs to support static malware analysis, highlighting their explanation capabilities and practical applicability in cybersecurity tasks.

Findings

LLMs can generate malware function descriptions with up to 90.9% accuracy.

Static analysts found LLM explanations practically useful.

Identified challenges and future research directions for LLM-assisted static analysis.

Abstract

Large language models (LLMs) are becoming more advanced and widespread and have shown their applicability to various domains, including cybersecurity. Static malware analysis is one of the most important tasks in cybersecurity; however, it is time-consuming and requires a high level of expertise. Therefore, we conducted a demonstration experiment focusing on whether an LLM can be used to support static analysis. First, we evaluated the ability of the LLM to explain malware functionality. The results showed that the LLM can generate descriptions that cover functions with an accuracy of up to 90.9\%. In addition, we asked six static analysts to perform a pseudo static analysis task using LLM explanations to verify that the LLM can be used in practice. Through subsequent questionnaires and interviews with the participants, we also demonstrated the practical applicability of LLMs. Lastly, we summarized the problems and required functions when using an LLM as static analysis support, as well as recommendations for future research opportunities.