Dynamic Malware Analysis using LLMs

The increasing complexity of malware highlights the need for advanced analysis tools, both static and dynamic, for effective reverse engineering and behavioral analysis of a given sample. While static methods such as disassembly and code review remain crucial, many malware samples use packers and obfuscation techniques that necessitate memory captures and dynamic analysis [Dynamic, 2012]. Similarly, hooking system and API calls at lower levels provides a more comprehensive view of a program’s true behavior. It enables analysts to capture transient execution stages in a multi-layered malware. Large learning models (LLM) such Llama 3, GPT-4, and Gemini can interpret assembly instructions, reconstruct probable software behaviors, and produce intuitive summaries of code functionality. However, these LLMs require domain-specific adaptation, typically known as fine-tuning, to capture the nuances of metamorphic transformations, which often incorporate custom encryption or code permutation routines. In this line of research, we collaborate with Prof. Ali Hassan to advance the state of the art of malware analysis by designing an integrated solution that combines dynamic instrumentation, multi-run analysis, and LLM-driven annotations for effective deobfuscation and analysis of a malware. Tasks can involve (1) expediting analysis by systematically intercepting anti-analysis routines, uncovering hidden code paths, and de-obfuscating or decrypting each layer of the malware; (2) leverage frameworks such Angr, an open-source symbolic execution engine, and Qiling emulation environment to intercept system calls and analyze binaries for vulnerabilities, hidden logic, or malware execution paths; and (3) build a fine-tuned LLM which will augment the process, providing real-time suggestions to bypass anti-virtualization and anti-debugging logic, revealing new code segments as they are decrypted, and ultimately generating high-level analysis on the malware’s functionality. [Dynamic, 2012] Sikorski M and Honig A. Practical malware analysis: the hands-on guide to dissecting malicious software. No Starch Press, 2012.

The objectives of the project will be to: explore state-of-the-art research and practice together with PhDs and researchers; help on defining and solving a problem conceptually; implement a Proof-of-Concept solution with evaluation/simulation; and contribute and coauthor a scientific paper. More details can be shared and defined after admission and specific topic selection.