The use of digital infrastructures has increased cyber risks, with malware loaders becoming key routes for discreet payload distribution and proliferation. The growth of obfuscation techniques makes conventional detection methods difficult, stressing the necessity for more advanced procedures. A novel system that combines Large Language Models (LLMs) with Retrieval-Augmented Generation (RAG) improves Windows Malware Loader analysis. The framework analyzes API call sequences to identify key behavioral patterns (Injection, Persistence, and Command and Control (C2) Connections) and aligns them with the MITRE ATT&CK framework to comprehend attack methods. LLMs also automate YARA rule development, enhancing detection efficiency and adaptability while eliminating signature limitations. LLM hallucinations are reduced by RAG, enhancing detection reliability. Additionally, an Ontology-based model visualizes malware activities in a systematic manner, improving threat intelligence. Experimental results show the framework can examine complicated malware variants, demonstrating its potential to improve cybersecurity.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Windows Malware Loader Behaviour Analysis Based on API Calls with LLM and Ontology

  • Dang-Vinh Ta,
  • Phuong-Mai Nguyen,
  • Thai-Hoang Pham,
  • Thi-Ngan Nguyen,
  • Duc-Quy Vu,
  • Anh-Nhat Nguyen,
  • Manh-Duc Hoang

摘要

The use of digital infrastructures has increased cyber risks, with malware loaders becoming key routes for discreet payload distribution and proliferation. The growth of obfuscation techniques makes conventional detection methods difficult, stressing the necessity for more advanced procedures. A novel system that combines Large Language Models (LLMs) with Retrieval-Augmented Generation (RAG) improves Windows Malware Loader analysis. The framework analyzes API call sequences to identify key behavioral patterns (Injection, Persistence, and Command and Control (C2) Connections) and aligns them with the MITRE ATT&CK framework to comprehend attack methods. LLMs also automate YARA rule development, enhancing detection efficiency and adaptability while eliminating signature limitations. LLM hallucinations are reduced by RAG, enhancing detection reliability. Additionally, an Ontology-based model visualizes malware activities in a systematic manner, improving threat intelligence. Experimental results show the framework can examine complicated malware variants, demonstrating its potential to improve cybersecurity.