Semantic Preprocessing for LLM-based Malware Analysis

TL;DR

This paper introduces a semantic preprocessing method for malware analysis that leverages expert knowledge to create interpretable JSON reports, enhancing AI model explainability and achieving high classification performance.

Contribution

It proposes a novel preprocessing approach that combines static and behavioral features with expert knowledge for improved malware semantic analysis.

Findings

Achieved a weighted-average F1-score of 0.94 on a complex dataset.

Enhanced AI model interpretability for malware classification.

Integrated expert knowledge into preprocessing for better feature representation.

Abstract

In a context of malware analysis, numerous approaches rely on Artificial Intelligence to handle a large volume of data. However, these techniques focus on data view (images, sequences) and not on an expert's view. Noticing this issue, we propose a preprocessing that focuses on expert knowledge to improve malware semantic analysis and result interpretability. We propose a new preprocessing method which creates JSON reports for Portable Executable files. These reports gather features from both static and behavioral analysis, and incorporate packer signature detection, MITRE ATT\&CK and Malware Behavior Catalog (MBC) knowledge. The purpose of this preprocessing is to gather a semantic representation of binary files, understandable by malware analysts, and that can enhance AI models' explainability for malicious files analysis. Using this preprocessing to train a Large Language Model for Malware classification, we achieve a weighted-average F1-score of 0.94 on a complex dataset, representative of market reality.