Accuracy and Efficiency Trade-Offs in LLM-Based Malware Detection and Explanation: A Comparative Study of Parameter Tuning vs. Full Fine-Tuning

TL;DR

This paper compares parameter tuning and full fine-tuning of LLMs for malware detection, showing LoRA fine-tuning offers a resource-efficient alternative with competitive explanation quality.

Contribution

It introduces an evaluation framework for explanation quality and demonstrates LoRA fine-tuning's effectiveness in balancing accuracy, interpretability, and resource use in malware detection.

Findings

Full fine-tuning outperforms LoRA in overall scores by up to 10%.

Mid-range LoRA models outperform full fine-tuning on two metrics.

LoRA reduces model size by 81% and training time by over 80%.

Abstract

This study examines whether Low-Rank Adaptation (LoRA) fine-tuned Large Language Models (LLMs) can approximate the performance of fully fine-tuned models in generating human-interpretable decisions and explanations for malware classification. Achieving trustworthy malware detection, particularly when LLMs are involved, remains a significant challenge. We developed an evaluation framework using Bilingual Evaluation Understudy (BLEU), Recall-Oriented Understudy for Gisting Evaluation (ROUGE), and Semantic Similarity Metrics to benchmark explanation quality across five LoRA configurations and a fully fine-tuned baseline. Results indicate that full fine-tuning achieves the highest overall scores, with BLEU and ROUGE improvements of up to 10% over LoRA variants. However, mid-range LoRA models deliver competitive performance exceeding full fine-tuning on two metrics while reducing model size by approximately 81% and training time by over 80% on a LoRA model with 15.5% trainable parameters. These findings demonstrate that LoRA offers a practical balance of interpretability and resource efficiency, enabling deployment in resource-constrained environments without sacrificing explanation quality. By providing feature-driven natural language explanations for malware classifications, this approach enhances transparency, analyst confidence, and operational scalability in malware detection systems.