Efficient Code Analysis via Graph-Guided Large Language Models
Hang Gao, Tao Peng, Baoquan Cui, Hong Huang, Fengge Wu, Junsuo Zhao, Jian Zhang
TL;DR
The paper tackles the difficulty of detecting malicious code in large codebases by decoupling the process into a graph-guided attention pipeline. It builds a code graph from Python ASTs, uses a GNN trained with sparse, rule-based features to identify influential regions, and then uses those regions to guide an LLM for focused, explainable analysis. The approach yields superior malicious-code detection and richer, more trustworthy descriptions across multiple datasets, while substantially reducing LLM token usage and computational costs. This graph-centric framework demonstrates practical potential for securing package ecosystems like PyPI by enabling efficient, scalable malware analysis with explainable outcomes.
Abstract
Malicious behavior is often hidden in small, easily overlooked code fragments, especially within large and complex codebases. The cross-file dependencies of these fragments make it difficult for even powerful large language models (LLMs) to detect them reliably. We propose a graph-centric attention acquisition pipeline that enhances LLMs' ability to localize malicious behavior. The approach parses a project into a code graph, uses an LLM to encode nodes with semantic and structural signals, and trains a Graph Neural Network (GNN) under sparse supervision. The GNN performs an initial detection, and through backtracking of its predictions, identifies key code sections that are most likely to contain malicious behavior. These influential regions are then used to guide the LLM's attention for in-depth analysis. This strategy significantly reduces interference from irrelevant context while maintaining low annotation costs. Extensive experiments show that the method consistently outperforms existing methods on multiple public and self-built datasets, highlighting its potential for practical deployment in software security scenarios.
