Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Rethinking and Exploring String-Based Malware Family Classification in the Era of LLMs and RAG

Yufan Chen, Daoyuan Wu, Juantao Zhong, Zicheng Zhang, Debin Gao, Shuai Wang, Yingjiu Li, Ning Liu, Jiachi Chen, Rocky K. C. Chang

TL;DR

This work revisits string-based malware family classification in the era of LLMs and retrieval-augmented reasoning by defining Family-Specific Strings (FSS) and building a modular four-stage pipeline: extraction, vector database construction, test-time observation-point selection, and inference. Through a large-scale empirical study on 4,347 samples across 67 families, it demonstrates that static strings alone miss semantic content, while hybrid static-dynamic extraction substantially improves accuracy for obfuscated families. The study shows that LLM-driven semantic filtering and clustering of features enhance retrieval quality, and vector-based scoring generally outperforms fine-tuned LLM reasoning, though a hybrid approach may combine the strengths of both. These findings offer a scalable, interpretable path for leveraging string artifacts in malware classification, with implications for crowdsourced analysis platforms and threat intelligence workflows.

Abstract

Malware family classification aims to identify the specific family (e.g., GuLoader or BitRAT) a malware sample may belong to, in contrast to malware detection or sample classification, which only predicts a Yes/No outcome. Accurate family identification can greatly facilitate automated sample labeling and understanding on crowdsourced malware analysis platforms such as VirusTotal and MalwareBazaar, which generate vast amounts of data daily. In this paper, we explore and assess the feasibility of using traditional binary string features for family classification in the new era of large language models (LLMs) and Retrieval-Augmented Generation (RAG). Specifically, we investigate howFamily-Specific String (FSS) features can be utilized in a manner similar to RAG to facilitate family classification. To this end, we develop a curated evaluation framework covering 4,347 samples from 67 malware families, extract and analyze over 25 million strings, and conduct detailed ablation studies to assess the impact of different design choices in four major modules, with each providing a relative improvement ranging from 8.1% to 120%.

Rethinking and Exploring String-Based Malware Family Classification in the Era of LLMs and RAG

TL;DR

This work revisits string-based malware family classification in the era of LLMs and retrieval-augmented reasoning by defining Family-Specific Strings (FSS) and building a modular four-stage pipeline: extraction, vector database construction, test-time observation-point selection, and inference. Through a large-scale empirical study on 4,347 samples across 67 families, it demonstrates that static strings alone miss semantic content, while hybrid static-dynamic extraction substantially improves accuracy for obfuscated families. The study shows that LLM-driven semantic filtering and clustering of features enhance retrieval quality, and vector-based scoring generally outperforms fine-tuned LLM reasoning, though a hybrid approach may combine the strengths of both. These findings offer a scalable, interpretable path for leveraging string artifacts in malware classification, with implications for crowdsourced analysis platforms and threat intelligence workflows.

Abstract

Malware family classification aims to identify the specific family (e.g., GuLoader or BitRAT) a malware sample may belong to, in contrast to malware detection or sample classification, which only predicts a Yes/No outcome. Accurate family identification can greatly facilitate automated sample labeling and understanding on crowdsourced malware analysis platforms such as VirusTotal and MalwareBazaar, which generate vast amounts of data daily. In this paper, we explore and assess the feasibility of using traditional binary string features for family classification in the new era of large language models (LLMs) and Retrieval-Augmented Generation (RAG). Specifically, we investigate howFamily-Specific String (FSS) features can be utilized in a manner similar to RAG to facilitate family classification. To this end, we develop a curated evaluation framework covering 4,347 samples from 67 malware families, extract and analyze over 25 million strings, and conduct detailed ablation studies to assess the impact of different design choices in four major modules, with each providing a relative improvement ranging from 8.1% to 120%.

Paper Structure

This paper contains 26 sections, 2 equations, 4 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Strings in Binary Samples
  4. Prior Works Leveraging String Features for Malware Detection and Classification
  5. Rethinking String-based Malware Classification in the New Era of LLMs and RAG
  6. An Exploratory Study
  7. Exploration Based on Family-Specific String Features
  8. Research Questions
  9. Extracting Family-Specific Strings: Static-Only or Hybrid?
  10. Building a Scalable and Informative FSS Vector Database
  11. Selecting Observation Points from Test-Time Samples
  12. Matching Against the Vector Database via Vector Similarity or LLM Inference
  13. Experimental Setup
  14. Dataset Collection
  15. Environment and Parameter Configurations
  16. ...and 11 more sections

Figures (4)

  • Figure 1: A high-level overview of our exploratory study.
  • Figure 2: CDF of meaningful FSS at various percentage levels across different FSS lengths for our training set.
  • Figure 3: Prompt format for fine-tuning-based reasoning over retrieved top-K features and candidate families.
  • Figure 4: Impact of LLM-based filtering on semantic similarity.

Theorems & Definitions (1)

  • Definition 1: Family-Specific String