Kernel-Level Malware Analysis and Behavioral Explanation Using LLMs

Narumi Yoneda; Ryo Hatano; Hiroyuki Nishiyama

doi:10.5220/0013149500003890

Kernel-Level Malware Analysis and Behavioral Explanation Using LLMs

Narumi Yoneda, Ryo Hatano, Hiroyuki Nishiyama

2025

Abstract

In this study, we collected data on malware behavior and generated explanatory descriptions using a large language model (LLM). The objective of this study is to determine whether a given malware sample truly exhibits malicious behavior. To collect detailed information, we modified the Linux kernel to build a system capable of capturing information about the arguments and return values of invoked system calls. We subsequently analyzed the data obtained from our system for indications that the malware exhibited malicious or anti-analysis behavior. Additionally, we assessed whether the LLM could interpret this data and provide an explanation of the malware behavior. This approach constitutes a shift in focus from the method of attack, which is examined in the detection of the malware family, to an evaluation of the malicious nature of the actions performed by the malware. Our inferences demonstrated that our data could represent both what the malware “attempted to do” and what it “actually did,” and the LLM was able to accurately interpret this data and explain the malware behavior.

Download

Paper Citation

in Harvard Style

Yoneda N., Hatano R. and Nishiyama H. (2025). Kernel-Level Malware Analysis and Behavioral Explanation Using LLMs. In Proceedings of the 17th International Conference on Agents and Artificial Intelligence - Volume 3: ICAART; ISBN 978-989-758-737-5, SciTePress, pages 443-450. DOI: 10.5220/0013149500003890

in Bibtex Style

@conference{icaart25,
author={Narumi Yoneda and Ryo Hatano and Hiroyuki Nishiyama},
title={Kernel-Level Malware Analysis and Behavioral Explanation Using LLMs},
booktitle={Proceedings of the 17th International Conference on Agents and Artificial Intelligence - Volume 3: ICAART},
year={2025},
pages={443-450},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0013149500003890},
isbn={978-989-758-737-5},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 17th International Conference on Agents and Artificial Intelligence - Volume 3: ICAART
TI - Kernel-Level Malware Analysis and Behavioral Explanation Using LLMs
SN - 978-989-758-737-5
AU - Yoneda N.
AU - Hatano R.
AU - Nishiyama H.
PY - 2025
SP - 443
EP - 450
DO - 10.5220/0013149500003890
PB - SciTePress