Articles producció científicaEnginyeria Informàtica i Matemàtiques

Assessing LLMs in malicious code deobfuscation of real-world malware campaigns

  • Datos identificativos

    Identificador:  imarina:9379058
    Handlehttps://hdl.handle.net/20.500.11797/imarina9379058
    Autores:  Patsakis, Constantinos; Casino, Fran; Lykousas, Nikolaos
    Resumen:
    The integration of large language models (LLMs) into various cybersecurity pipelines has become increasingly prevalent, enabling the automation of numerous manual tasks and often surpassing human performance. Recognising this potential, cybersecurity researchers and practitioners are actively investigating the application of LLMs to process vast volumes of heterogeneous data for anomaly detection, potential bypass identification, attack mitigation, and fraud prevention. Moreover, LLMs' advanced capabilities in generating functional code, interpreting code context, and code summarisation present significant opportunities for reverse engineering and malware deobfuscation. In this work, we comprehensively examine the deobfuscation capabilities of state-of-the-art LLMs. Specifically, we conducted a detailed evaluation of four prominent LLMs using real-world malicious scripts from the notorious Emotet malware campaign. Our findings reveal that while current LLMs are not yet perfectly accurate, they demonstrate substantial potential in efficiently deobfuscating payloads. This study highlights the importance of fine-tuning LLMs for specialised tasks, suggesting that such optimisation could pave the way for future AI-powered threat intelligence pipelines to combat obfuscated malware. Our contributions include a thorough analysis of LLM performance in malware deobfuscation, identifying strengths and limitations, and discussing the potential for integrating LLMs into cybersecurity frameworks for enhanced threat detection and mitigation. Our experiments illustrate that LLMs can automatically and accurately extract the necessary indicators of compromise from a real-world campaign with an accuracy of 69.56% and 88.78% for the URLs and the corresponding domains of the droppers, respectively.

  • Otros:

    Enlace a la fuente original: https://www.sciencedirect.com/science/article/pii/S0957417424017792?via%3Dihub
    Referencia de l'ítem segons les normes APA: Patsakis, Constantinos; Casino, Fran; Lykousas, Nikolaos (2024). Assessing LLMs in malicious code deobfuscation of real-world malware campaigns. Expert Systems With Applications, 256(), 124912-. DOI: 10.1016/j.eswa.2024.124912
    Referencia al articulo segun fuente origial: Expert Systems With Applications. 256 124912-
    DOI del artículo: 10.1016/j.eswa.2024.124912
    Año de publicación de la revista: 2024
    Entidad: Universitat Rovira i Virgili
    Versión del articulo depositado: info:eu-repo/semantics/publishedVersion
    Fecha de alta del registro: 2025-02-18
    Autor/es de la URV: Casino Cembellín, Francisco José
    Departamento: Enginyeria Informàtica i Matemàtiques
    URL Documento de licencia: https://repositori.urv.cat/ca/proteccio-de-dades/
    Tipo de publicación: Journal Publications
    Autor según el artículo: Patsakis, Constantinos; Casino, Fran; Lykousas, Nikolaos
    Acceso a la licencia de uso: https://creativecommons.org/licenses/by/3.0/es/
    Áreas temáticas: Administração pública e de empresas, ciências contábeis e turismo, Administração, ciências contábeis e turismo, Arquitetura, urbanismo e design, Artificial intelligence, Astronomia / física, Biodiversidade, Biotecnología, Ciência da computação, Ciências agrárias i, Ciências ambientais, Ciências biológicas i, Ciências biológicas ii, Ciências biológicas iii, Ciências sociais aplicadas i, Computer science applications, Computer science, artificial intelligence, Direito, Economia, Educação, Enfermagem, Engenharias i, Engenharias ii, Engenharias iii, Engenharias iv, Engineering (all), Engineering (miscellaneous), Engineering, electrical & electronic, Farmacia, General engineering, Geociências, Interdisciplinar, Matemática / probabilidade e estatística, Materiais, Medicina i, Medicina ii, Medicina iii, Operations research & management science, Química
    Direcció de correo del autor: franciscojose.casino@urv.cat

  • Palabras clave:

    Code deobfuscation
    Cybersecurit
    Cybersecurity
    Large language models
    Malware analysis
    Artificial Intelligence
    Computer Science Applications
    Computer Science
    Engineering (Miscellaneous)
    Engineering
    Electrical & Electronic
    Operations Research & Management Science
    Administração pública e de empresas
    ciências contábeis e turismo
    Administração
    Arquitetura
    urbanismo e design
    Astronomia / física
    Biodiversidade
    Biotecnología
    Ciência da computação
    Ciências agrárias i
    Ciências ambientais
    Ciências biológicas i
    Ciências biológicas ii
    Ciências biológicas iii
    Ciências sociais aplicadas i
    Direito
    Economia
    Educação
    Enfermagem
    Engenharias i
    Engenharias ii
    Engenharias iii
    Engenharias iv
    Engineering (all)
    Farmacia
    General engineering
    Geociências
    Interdisciplinar
    Matemática / probabilidade e estatística
    Materiais
    Medicina i
    Medicina ii
    Medicina iii
    Química

  • Documentos:

    DocumentPrincipal

  • Cerca a google

    Search to google scholar