Rethinking and Exploring String-Based Malware Family Classification in the Era of LLMs and RAG

TL;DR

This paper investigates the use of string-based features for malware family classification, leveraging LLMs and RAG techniques to improve accuracy and understanding in large-scale malware analysis.

Contribution

It introduces a novel approach using Family-Specific String features with RAG-like methods for malware classification, supported by a comprehensive evaluation framework.

Findings

Achieved up to 120% relative improvement in classification accuracy.

Analyzed over 25 million strings from 4,347 samples across 67 families.

Identified key design choices impacting model performance.

Abstract

Malware family classification aims to identify the specific family (e.g., GuLoader or BitRAT) a malware sample may belong to, in contrast to malware detection or sample classification, which only predicts a Yes/No outcome. Accurate family identification can greatly facilitate automated sample labeling and understanding on crowdsourced malware analysis platforms such as VirusTotal and MalwareBazaar, which generate vast amounts of data daily. In this paper, we explore and assess the feasibility of using traditional binary string features for family classification in the new era of large language models (LLMs) and Retrieval-Augmented Generation (RAG). Specifically, we investigate howFamily-Specific String (FSS) features can be utilized in a manner similar to RAG to facilitate family classification. To this end, we develop a curated evaluation framework covering 4,347 samples from 67 malware families, extract and analyze over 25 million strings, and conduct detailed ablation studies to assess the impact of different design choices in four major modules, with each providing a relative improvement ranging from 8.1% to 120%.