AsmRAG: LLM-Driven Malware Detection by Retrieving Functionally Similar Assembly Code
For Security Operations Centers, AsmRAG provides a transparent and reliable malware detection alternative that resists obfuscation, unlike black-box classifiers.
AsmRAG reformulates malware detection as an evidence-based retrieval task using assembly-level retrieval-augmented generation, achieving a detection F1-score of 96% and family attribution F1-score of 95% on a 40k binary dataset, while remaining robust against metamorphic obfuscation.
Deep learning malware detectors achieve high classification accuracy but suffer from severe interpretability limitations, typically returning probabilistic verdicts that lack forensic context. We introduce AsmRAG, a framework performing malware analysis through Assembly-Level Retrieval-Augmented Generation. Unlike classifiers built on global statistical features, AsmRAG reformulates detection as an evidence-based retrieval task. The system uses a code-specialized Large Language Model (LLM) to analyze assembly functions and convert them into semantic embeddings. This process constructs a searchable knowledge base resilient to syntactic obfuscation. For inference, we propose a Density-Weighted Anchor Selection mechanism that isolates the primary unit of malicious logic within a binary to extract verifiable forensic evidence and resist evasion attempts. Testing on a curated dataset of 40k binaries shows AsmRAG reaching a detection F1-score of 96% alongside a family attribution F1-score of 95%. Comparisons confirm this semantic retrieval approach remains robust against metamorphic obfuscation. When holistic baselines (EMBER and ResNeXt) degrade, our methodology gives Security Operations Centers a transparent and reliable alternative.