计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (11): 40-48.doi: 10.11896/jsjkx.241100118

• 大语言模型技术研究及应用 • 上一篇    下一篇

Instruct-Malware:基于控制流图的大型语言模型恶意软件分析

周昱辰1, 李鹏1,2, 韩科技1,2   

  1. 1 南京邮电大学计算机学院 南京 210023
    2 南京邮电大学网络安全和可信计算研究所 南京 210023
  • 收稿日期:2024-11-20 修回日期:2025-03-18 出版日期:2025-11-15 发布日期:2025-11-06
  • 通讯作者: 李鹏(lipeng@njupt.edu.cn)
  • 作者简介:(zyc1715385293@163.com)
  • 基金资助:
    江苏省六大人才高峰高层次人才项目(RJFW-111);江苏省研究生科研与实践创新计划项目(KYCX24_1227,KYCX23_1048)

Instruct-Malware:Control Flow Graph Based Large Language Model Analysis of Malware

ZHOU Yuchen1, LI Peng1,2, HAN Keji1,2   

  1. 1 School of Computer Science,Nanjing University of Posts and Telecommunications,Nanjing 210023,China
    2 Institute of Network Security and Trusted Computing,Nanjing University of Posts and Telecommunications,Nanjing 210023,China
  • Received:2024-11-20 Revised:2025-03-18 Online:2025-11-15 Published:2025-11-06
  • About author:ZHOU Yuchen,born in 2000,postgra-duate.His main research interests include malicious code analysis and multimodal large language models.
    LI Peng,born in 1979,Ph.D,professor,Ph.D supervisor,is a member of CCF(No.48573M).His main research interests include computer communication networks,cloud computing and information security.
  • Supported by:
    Six Talent Peaks Project of Jiangsu Province(RJFW-111) and Postgraduate Research and Practice Innovation Program of Jiangsu Province(KYCX24_1227,KYCX23_1048).

PDF (PC)

31

摘要: 恶意软件检测与分类面临复杂性和隐蔽性的挑战。图神经网络(Graph Neural Networks,GNNs)虽能有效建模控制流图,提升行为模式捕捉精度,但其“黑盒”特性限制了可解释性。此外,现有方法依赖大量标注数据,泛化能力较弱,难以应对新型恶意软件。大型语言模型(Large Language Models,LLMs)具备强大的特征提取和上下文理解能力,能够有效处理少样本数据,实现多模态信息融合,从而增强分析精度与泛化性。受大型语言模型的启发,结合对比学习策略,同时学习控制流图的结构和汇编指令,以提高恶意软件分析的效果和灵活性。基于此,设计了Instruct-Malware框架。该框架采用轻量级图-文本对齐投影,通过双阶段指令优化,显著增强了恶意软件分析的灵活性和鲁棒性;此外,提升了模型的解释能力,透明化了决策过程。实验结果表明,所提出的框架在恶意软件分类和子图识别任务中展现了显著的性能提升,超越了现有的主流方法,并大幅缩小了与专业模型之间的差距,为构建高效且可靠的恶意软件分析系统提供了新的思路。

关键词: 恶意软件分析, 图神经网络, 大语言模型, 对比学习

Abstract: Malware detection and classification face challenges due to their complexity and stealthiness.Although GNNs can effectively model control flow graphs,thereby enhancing the accuracy of behavioral pattern recognition,their “black-box” nature limits interpretability.Moreover,existing methods rely heavily on large amounts of labeled data,resulting in weaker generalization capabilities and difficulties in addressing novel malware.LLMs possess strong feature extraction and contextual understanding abilities,capable of efficiently processing few-shot data and achieving multimodal information fusion,thus enhancing analytical precision and generalizability.Inspired by large language models and leveraging contrastive learning strategies,this paper aims to simultaneously learn the structure of control flow graphs and assembly instructions,thereby enhancing the effectiveness and flexibility of malware analysis.Based on this,this paper designs the Instruct-Malware framework,which employs lightweight graph-text alignment projection and two-stage instruction optimization,significantly enhancing the flexibility and robustness of malware analysis.Additionally,the interpretability of the model has been improved,clarifying the decision-makingprocess.Experimental results demonstrate that the proposed framework exhibits significant performance improvements in malware classification and subgraph recognition tasks,surpassing current mainstream approaches and substantially narrowing the gap with specialized mo-dels.This provides new insights into building an efficient and reliable malware analysis system.

Key words: Malware analysis, Graph neural networks, Large language models, Contrastive learning

中图分类号: 

  • TP319
[1]Av-Test.Malware Statistics & Trends Report by Av-Test[EB/OL].https://www.av-test.org/en/statistics/malware.
[2]SHARMA O,SHARMA A,KALIA A.Windows and IoT Malware Visualization and Classification with Deep CNN and Xception CNN Using Markov Images[J].Journal of Intelligent Information Systems,2023,60(2):349-375.
[3]ALZUBI O A,ALZUBI J A,ALZUBI T M,et al.QuantumMayfly Optimization with Encoder-Decoder Driven LSTM Networks for Malware Detection and Classification Model[J].Mobile Networks and Applications,2023,28(2):795-807.
[4]XIAO G Q,LI X Q,CHEN Y D,et al.A Review of Large-Scale Graph Neural Networks[J].Journal of Computer Science,2024,47(1):148-171.
[5]YAN J,YAN G,JIN D.Classifying Malware Represented asControl Flow Graphs Using Deep Graph Convolutional Neural Network[C]//2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN).2019:52-63.
[6]WU B,XU Y,ZOU F.Malware Classification by Learning Semantic and Structural Features of Control Flow Graphs[C]//2021 IEEE 20th International Conference on Trust,Security and Privacy in Computing and Communications.2021:540-547.
[7]YING Z,BOURGEOIS D,YOU J,et al.Gnnexplainer:Generating Explanations for Graph Neural Networks[C]//Advances in Neural Information Processing Systems.2019:9240-9251.
[8]YUAN H,YU H,WANG J,et al.On Explainability of GraphNeural Networks Via Subgraph Explorations[C]//International Conference on Machine Learning.2021:12241-12252.
[9]HERATH J D,WAKODIKAR P P,YANG P,et al.Cfgexplainer:Explaining Graph Neural Network-Based Malware Classification From Control Flow Graphs[C]//2022 52nd Annual IEEE/IFIP International Conference on Dependable Systems and Networks(DSN).2022:172-184.
[10]LUO D,CHENG W,XU D,et al.Parameterized Explainer for Graph Neural Network[C]//Advances in Neural Information Processing Systems.2020:19620-19631.
[11]ZENG A,LIU X,DU Z,et al.Glm-130B:An Open Bilingual Pre-Trained Model[C]//Proceedings of the International Conference on Learning Representations.2023:1-56.
[12]Openai.Chatgpt:A Language Model for Conversational AI[EB/OL].https://chatgpt.com/.
[13]LIU H,LI C,WU Q,et al.Visual Instruction Tuning[C]//Advances in Neural Information Processing Systems.2024:34892-34916.
[14]ZHU D,CHEN J,SHEN X,et al.Minigpt-4:Enhancing Vision-Language Understanding with Advanced Large Language Mo-dels[C]//Proceedings of the International Conference on Lear-ning Representations.2024:1-17.
[15]YE Q,XU H,XU G,et al.Mplug-Owl:Modularization Empowers Large Language Models with Multimodality[J].arXiv:2304.14178,2023.
[16]WEN Z,FANG Y.Prompt Tuning On Graph-Augmented Low-Resource Text Classification[J].IEEE Transactions on Know-ledge and Data Engineering,2024,36(12):9080-9095.
[17]ZHANG H,LI X,BING L.Video-Llama:An Instruction-Tuned Audio-Visual Language Model for Video Understanding[C]//Proceedings of the 2023 Conference on Empirical Methods in Natural Language Processing:System Demonstrations.2023:543-553.
[18]TANG J,YANG Y,WEI W,et al.Graphgpt:Graph Instruction Tuning for Large Language Models[C]//Proceedings of the 47th International ACM SIGIR Conference on Research and Development in Information Retrieval.2024:491-500.
[19]WANG Y,KORDI Y,MISHRA S,et al.Self-Instruct:Aligning Language Models with Self-Generated Instructions[C]//Proceedings of the 61st Annual Meeting of the Association for Computational Linguistics.2023:13484-13508.
[20]VASWANI A.Attention is All You Need[C]//Advances in Neural Information Processing Systems.2017:5998-6008.
[21]RADFORD A,KIM J W,HALLACY C,et al.Learning Transferable Visual Models From Natural Language Supervision[C]//International Conference on Machine Learning.2021:8748-8763.
[22]WEN Z,FANG Y.Augmenting Low-Resource Text Classifica-tion with Graph-Grounded Pre-Training and Prompting[C]//Proceedings of the 46th International ACM SIGIR Conference on Research and Development in Information Retrieval.2023:506-516.
[23]LIU S,NIE W,WANG C,et al.Multi-Modal Molecule Structure-Text Model for Text-Based Retrieval and Editing[J].Nature Machine Intelligence,2023,5(12):1447-1457.
[24]LU Y,PENG J,ZHU Y,et al.Pre-Training Molecular GraphRepresentations with Motif-Enhanced Message Passing[C]//2024 International Joint Conference on Neural Networks(IJCNN).2024:1-8.
[25]OORD A V D,LI Y,VINYALS O.Representation Learningwith Contrastive Predictive Coding[J].arXiv:1807.03748,2018.
[26]HU E J,SHEN Y,WALLIS P,et al.Lora:Low-Rank Adaptation of Large Language Models[C]//Proceedings of the International Conference on Learning Representations.2022:1-13.
[27]HAMILTON W,YING Z,LESKOVEC J.Inductive Representation Learning On Large Graphs[C]//Advances in Neural Information Processing Systems.2017:1024-1034.
[28]KIPF T N,WELLING M.Semi-Supervised Classification withGraph Convolutional Networks[C]//Proceedings of the International Conference on Learning Representations.2017:1-14.
[29]VELIČKOVIĆ P,CUCURULL G,CASANOVA A,et al.Graph Attention Networks[C]//Proceedings of the International Conference on Learning Representations.2018:1-12.
[30]VELIČKOVIĆ P,FEDUS W,HAMILTON W L,et al.Deep Graph Infomax[C]//Proceedings of the International Confe-rence on Learning Representations.2018:1-17.
[31]ZHANG S,LIU Y,SUN Y,et al.Graph-Less Neural Networks:Teaching Old Mlps New Tricks Via Distillation[C]//Procee-dings of the International Conference on Learning Representations.2022:1-21.
[32]WEI J,WANG X,SCHUURMANS D,et al.Chain-of-Thought Prompting Elicits Reasoning in Large Language Models[J].Advances in Neural Information Processing Systems,2022,35:24824-24837.
[33]LIU H,LI C,LI Y,et al.Improved Baselines with Visual Instruction Tuning[C]//Proceedings of the IEEE/CVF Confe-rence on Computer Vision and Pattern Recognition.2024:26296-26306.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发