English

Semantic Preprocessing for LLM-based Malware Analysis

Cryptography and Security 2025-10-06 v4 Artificial Intelligence

Abstract

In a context of malware analysis, numerous approaches rely on Artificial Intelligence to handle a large volume of data. However, these techniques focus on data view (images, sequences) and not on an expert's view. Noticing this issue, we propose a preprocessing that focuses on expert knowledge to improve malware semantic analysis and result interpretability. We propose a new preprocessing method which creates JSON reports for Portable Executable files. These reports gather features from both static and behavioral analysis, and incorporate packer signature detection, MITRE ATT\&CK and Malware Behavior Catalog (MBC) knowledge. The purpose of this preprocessing is to gather a semantic representation of binary files, understandable by malware analysts, and that can enhance AI models' explainability for malicious files analysis. Using this preprocessing to train a Large Language Model for Malware classification, we achieve a weighted-average F1-score of 0.94 on a complex dataset, representative of market reality.

Keywords

Cite

@article{arxiv.2506.12113,
  title  = {Semantic Preprocessing for LLM-based Malware Analysis},
  author = {Benjamin Marais and Tony Quertier and Grégoire Barrue},
  journal= {arXiv preprint arXiv:2506.12113},
  year   = {2025}
}
R2 v1 2026-07-01T03:16:49.478Z