Automated Malware Family Classification using Weighted Hierarchical Ensembles of Large Language Models

TL;DR

This paper introduces a zero-label malware classification method using a hierarchical ensemble of pretrained large language models that aggregates decision-level predictions to improve robustness and scalability.

Contribution

It proposes a novel weighted hierarchical ensemble framework of LLMs for malware classification without relying on labeled data or feature engineering.

Findings

Ensemble approach improves classification robustness.

Hierarchical structure enhances decision accuracy.

Method outperforms traditional supervised models.

Abstract

Malware family classification remains a challenging task in automated malware analysis, particularly in real-world settings characterized by obfuscation, packing, and rapidly evolving threats. Existing machine learning and deep learning approaches typically depend on labeled datasets, handcrafted features, supervised training, or dynamic analysis, which limits their scalability and effectiveness in open-world scenarios. This paper presents a zero-label malware family classification framework based on a weighted hierarchical ensemble of pretrained large language models (LLMs). Rather than relying on feature-level learning or model retraining, the proposed approach aggregates decision-level predictions from multiple LLMs with complementary reasoning strengths. Model outputs are weighted using empirically derived macro-F1 scores and organized hierarchically, first resolving coarse-grained malicious behavior before assigning fine-grained malware families. This structure enhances robustness, reduces individual model instability, and aligns with analyst-style reasoning.