Evaluating Retrieval-Augmented Generation for Explainable Malware Analysis

TL;DR

This paper empirically evaluates whether Retrieval-Augmented Generation improves malware explanations from LLMs, finding that it often degrades quality by adding distracting or irrelevant information.

Contribution

The study challenges the assumption that RAG enhances malware explanation quality, showing it can be counterproductive when structured evidence suffices.

Findings

RAG frequently degrades explanation quality in malware analysis.

Structured security evidence often makes RAG unnecessary or harmful.

Malware explanation is better viewed as a signal-extraction task rather than knowledge retrieval.

Abstract

Large Language Models (LLMs) are increasingly being used as security engineering tools to summarize and explain malware behavior to analysts. A common assumption is that Retrieval-Augmented Generation (RAG) improves explanation quality by injecting external security knowledge. In this work, we empirically evaluate this assumption for malware explanation using VirusTotal reports as structured input. Across multiple LLMs, we find that RAG frequently degrades explanation quality by introducing distracting or weakly related context and adding narrative noise or generic write-ups. Our results highlight a practical risk in security-critical pipelines for malware explanation that RAG can be counterproductive when structured security evidence is already sufficient. We argue that malware explanation is primarily a signal-extraction task, not a knowledge-retrieval problem, and outline design recommendations for secure development workflows.