Evaluating Retrieval-Augmented Generation for Explainable Malware Analysis
This work highlights a practical risk for security analysts relying on LLMs for malware explanation, showing that RAG can be counterproductive when structured evidence is sufficient.
The paper evaluates Retrieval-Augmented Generation (RAG) for malware explanation and finds that RAG frequently degrades explanation quality by introducing distracting context and narrative noise, contrary to the assumption that it improves quality.
Large Language Models (LLMs) are increasingly being used as security engineering tools to summarize and explain malware behavior to analysts. A common assumption is that Retrieval-Augmented Generation (RAG) improves explanation quality by injecting external security knowledge. In this work, we empirically evaluate this assumption for malware explanation using VirusTotal reports as structured input. Across multiple LLMs, we find that RAG frequently degrades explanation quality by introducing distracting or weakly related context and adding narrative noise or generic write-ups. Our results highlight a practical risk in security-critical pipelines for malware explanation that RAG can be counterproductive when structured security evidence is already sufficient. We argue that malware explanation is primarily a signal-extraction task, not a knowledge-retrieval problem, and outline design recommendations for secure development workflows.