Rethinking and Exploring String-Based Malware Family Classification in the Era of LLMs and RAG
This work addresses automated sample labeling for platforms like VirusTotal and MalwareBazaar, but it is incremental as it adapts existing string features to new methods.
The paper tackles malware family classification by exploring traditional binary string features in the context of LLMs and RAG, achieving relative improvements from 8.1% to 120% across modules in a framework with 4,347 samples from 67 families.
Malware family classification aims to identify the specific family (e.g., GuLoader or BitRAT) a malware sample may belong to, in contrast to malware detection or sample classification, which only predicts a Yes/No outcome. Accurate family identification can greatly facilitate automated sample labeling and understanding on crowdsourced malware analysis platforms such as VirusTotal and MalwareBazaar, which generate vast amounts of data daily. In this paper, we explore and assess the feasibility of using traditional binary string features for family classification in the new era of large language models (LLMs) and Retrieval-Augmented Generation (RAG). Specifically, we investigate howFamily-Specific String (FSS) features can be utilized in a manner similar to RAG to facilitate family classification. To this end, we develop a curated evaluation framework covering 4,347 samples from 67 malware families, extract and analyze over 25 million strings, and conduct detailed ablation studies to assess the impact of different design choices in four major modules, with each providing a relative improvement ranging from 8.1% to 120%.