Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
80 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
7 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Assessing LLMs in Malicious Code Deobfuscation of Real-world Malware Campaigns (2404.19715v1)

Published 30 Apr 2024 in cs.CR

Abstract: The integration of LLMs into various pipelines is increasingly widespread, effectively automating many manual tasks and often surpassing human capabilities. Cybersecurity researchers and practitioners have recognised this potential. Thus, they are actively exploring its applications, given the vast volume of heterogeneous data that requires processing to identify anomalies, potential bypasses, attacks, and fraudulent incidents. On top of this, LLMs' advanced capabilities in generating functional code, comprehending code context, and summarising its operations can also be leveraged for reverse engineering and malware deobfuscation. To this end, we delve into the deobfuscation capabilities of state-of-the-art LLMs. Beyond merely discussing a hypothetical scenario, we evaluate four LLMs with real-world malicious scripts used in the notorious Emotet malware campaign. Our results indicate that while not absolutely accurate yet, some LLMs can efficiently deobfuscate such payloads. Thus, fine-tuning LLMs for this task can be a viable potential for future AI-powered threat intelligence pipelines in the fight against obfuscated malware.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (33)
  1. A survey on run-time packers and mitigation techniques. International Journal of Information Security, 23(2):887–913, 2024.
  2. The foundation model transparency index. arXiv preprint arXiv:2310.12941, 2023.
  3. Waveatlas: surfing through the landscape of current malware packers. In Virus Bulletin Conference, 2015.
  4. Intercepting hail hydra: real-time detection of algorithmically generated domains. Journal of Network and Computer Applications, 190:103135, 2021.
  5. The anatomy of deception: Measuring technical and human factors of a large-scale phishing campaign. Computers & Security, 140:103780, 2024.
  6. Pentestgpt: An llm-empowered automatic penetration testing tool. arXiv preprint arXiv:2308.06782, 2023.
  7. BERT: pre-training of deep bidirectional transformers for language understanding. In Jill Burstein, Christy Doran, and Thamar Solorio, editors, Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, NAACL-HLT 2019, Minneapolis, MN, USA, June 2-7, 2019, Volume 1 (Long and Short Papers), pages 4171–4186. Association for Computational Linguistics, 2019.
  8. Emmanuel Dupoux. Cognitive science in the era of artificial intelligence: A roadmap for reverse-engineering the infant language-learner. Cognition, 173:43–59, 2018.
  9. Europol. World’s most dangerous malware EMOTET disrupted through global action. https://www.europol.europa.eu/media-press/newsroom/news/world’s-most-dangerous-malware-emotet-disrupted-through-global-action, 2021. [Accessed 24-04-2024].
  10. Revolutionizing cyber threat detection with large language models. CoRR, abs/2306.14263, 2023.
  11. A survey of strategy-driven evasion methods for pe malware: Transformation, concealment, and attack. Computers & Security, 137:103595, 2024.
  12. Malware - Handbook of Prevention and Detection. Springer, 2024.
  13. From chatgpt to threatgpt: Impact of generative ai in cybersecurity and privacy. IEEE Access, 11:80218–80245, 2023.
  14. Mixtral of experts. arXiv preprint arXiv:2401.04088, 2024.
  15. Detecting phishing sites using chatgpt. CoRR, abs/2306.05816, 2023.
  16. Jesse D. Kornblum. Identifying almost identical files using context triggered piecewise hashing. Digit. Investig., 3(Supplement):91–97, 2006.
  17. Invoice# 31415 attached: Automated analysis of malicious microsoft office documents. Computers & Security, 114:102582, 2022.
  18. Dobf: A deobfuscation pre-training objective for programming languages. In M. Ranzato, A. Beygelzimer, Y. Dauphin, P.S. Liang, and J. Wortman Vaughan, editors, Advances in Neural Information Processing Systems, volume 34, pages 14967–14979. Curran Associates, Inc., 2021.
  19. Packgenome: Automatically generating robust YARA rules for accurate malware packer detection. In Weizhi Meng, Christian Damsgaard Jensen, Cas Cremers, and Engin Kirda, editors, Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, CCS 2023, Copenhagen, Denmark, November 26-30, 2023, pages 3078–3092. ACM, 2023.
  20. Mandiant. Tracking Malware with Import Hashing. https://cloud.google.com/blog/topics/threat-intelligence/tracking-malware-import-hashing/, 2014. [Accessed 24-04-2024].
  21. Harnessing gpt-4 for generation of cybersecurity grc policies: A focus on ransomware attack mitigation. Computers & Security, 134:103424, 2023.
  22. Human-in-the-loop machine learning: a state of the art. Artificial Intelligence Review, 56(4):3005–3054, 2023.
  23. File packing from the malware perspective: Techniques, analysis approaches, and directions for enhancements. ACM Comput. Surv., 55(5), dec 2022.
  24. Tlsh–a locality sensitive hash. In 2013 Fourth Cybercrime and Trustworthy Computing Workshop, pages 7–13. IEEE, 2013.
  25. An attacker’s dream? exploring the capabilities of chatgpt for developing malware. In Proceedings of the 16th Cyber Security Experimentation and Test Workshop, CSET ’23, page 10–18, New York, NY, USA, 2023. Association for Computing Machinery.
  26. Analysing the fall 2020 emotet campaign. arXiv preprint arXiv:2011.06479, 2020.
  27. Improving language understanding by generative pre-training, 2018.
  28. Binary-code obfuscations in prevalent packer tools. ACM Comput. Surv., 46(1), jul 2013.
  29. From chatbots to phishbots?–preventing phishing scams created using chatgpt, google bard and claude. arXiv preprint arXiv:2310.19181, 2023.
  30. Code llama: Open foundation models for code. arXiv preprint arXiv:2308.12950, 2023.
  31. An inside look into the practice of malware analysis. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, CCS ’21, page 3053–3069, New York, NY, USA, 2021. Association for Computing Machinery.
  32. A comparative study on optimization, obfuscation, and deobfuscation tools in android. Journal of Internet Services and Information Security, 11(1):2–15, 2021.
  33. Aicef: an ai-assisted cyber exercise content generation framework using named entity recognition. International Journal of Information Security, 22(5):1333–1354, Oct 2023.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (3)
  1. Constantinos Patsakis (38 papers)
  2. Fran Casino (23 papers)
  3. Nikolaos Lykousas (12 papers)
Citations (4)
View on Semantic Scholar