English

AsmRAG: LLM-Driven Malware Detection by Retrieving Functionally Similar Assembly Code

Cryptography and Security 2026-04-28 v1

Abstract

Deep learning malware detectors achieve high classification accuracy but suffer from severe interpretability limitations, typically returning probabilistic verdicts that lack forensic context. We introduce AsmRAG, a framework performing malware analysis through Assembly-Level Retrieval-Augmented Generation. Unlike classifiers built on global statistical features, AsmRAG reformulates detection as an evidence-based retrieval task. The system uses a code-specialized Large Language Model (LLM) to analyze assembly functions and convert them into semantic embeddings. This process constructs a searchable knowledge base resilient to syntactic obfuscation. For inference, we propose a Density-Weighted Anchor Selection mechanism that isolates the primary unit of malicious logic within a binary to extract verifiable forensic evidence and resist evasion attempts. Testing on a curated dataset of 40k binaries shows AsmRAG reaching a detection F1-score of 96% alongside a family attribution F1-score of 95%. Comparisons confirm this semantic retrieval approach remains robust against metamorphic obfuscation. When holistic baselines (EMBER and ResNeXt) degrade, our methodology gives Security Operations Centers a transparent and reliable alternative.

Keywords

Cite

@article{arxiv.2604.23196,
  title  = {AsmRAG: LLM-Driven Malware Detection by Retrieving Functionally Similar Assembly Code},
  author = {ElMouatez Billah Karbab},
  journal= {arXiv preprint arXiv:2604.23196},
  year   = {2026}
}
R2 v1 2026-07-01T12:34:55.279Z