Multi-View Decompilation for LLM-Based Malware Classification

2026-06-18 · Source: Artificial Intelligence · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Advanced, quick

Summary

A new approach, Multi-View Decompilation, addresses the fragility of existing LLM-based malware classification pipelines that rely on a single decompiler view. Recognizing that decompilers are lossy heuristic tools and produce different artifacts, researchers curated a benchmark of benign and malicious programs. Each sample was compiled and then decompiled using both Ghidra and RetDec, yielding matched pseudo-C views. Across various LLMs, providing both decompiler views significantly improved malicious-class F1 scores, primarily by increasing recall on malicious samples. Agreement analyses confirmed that Ghidra and RetDec make partially different errors, supporting the idea that their outputs offer complementary evidence. This multi-decompiler prompting method is a simple, training-free way to enhance LLM-based malware triage.

Key takeaway

For AI Security Engineers developing LLM-based malware classification systems, you should integrate multi-decompiler prompting. Relying on a single decompiler view is fragile; providing both Ghidra and RetDec outputs to your LLMs can significantly boost malicious sample recall and overall F1 scores. This simple, training-free approach offers a practical way to enhance detection accuracy in real-world triage.

Key insights

Using multiple decompiler views improves LLM-based malware classification by providing complementary evidence.

Principles

• Decompilers are lossy heuristic tools.
• Different decompilers expose complementary artifacts.
• Multi-decompiler prompting boosts LLM recall.

Method

The proposed method involves feeding LLMs pseudo-C code from multiple decompilers, such as Ghidra and RetDec, for the same binary to improve classification.

In practice

• Integrate Ghidra and RetDec outputs.
• Apply multi-decompiler prompting.
• Enhance LLM-based malware triage.

Topics

• Malware Classification
• Large Language Models
• Decompilation
• Ghidra
• RetDec
• Cybersecurity

Best for: AI Engineer, Machine Learning Engineer, Research Scientist, AI Security Engineer, NLP Engineer, AI Scientist

Related on AIssential

• Can Small GenAI Language Models Rival Large Language Models in Understanding Application Behavior? — Small GenAI models can rival larger LLMs in malware detection, offering efficiency for resource-constrained environments.
• SMSR: Certified Defence Against Runtime Memory Poisoning in Persistent LLM Agent Systems — SMSR provides certified defense against memory poisoning in persistent LLM agents using cryptographic provenance and smoothed retrieval.
• Snyk VulnBench JS 1.0: Can LLMs Find the Same Bugs Twice? — LLM security findings are unevenly repeatable; combine with SAST for comprehensive coverage.
• Decoupled Smart Contract Audits: Lightweight LLM Framework via Distillation and Aggregation — Lightweight LLMs can achieve high accuracy in smart contract auditing by decoupling tasks and employing distillation and aggregation strategies.
• Multi-View Attention Multiple-Instance Learning Enhanced by LLM Reasoning for Cognitive Distortion Detection — Combining LLMs with MIL and ELB components improves cognitive distortion detection by enhancing interpretability and reasoning.
• The Evolution of LLM Inference: Decoding algorithms — Part 1 — LLM inference speed hinges on reducing sequential decoding steps by predicting and verifying multiple tokens in parallel.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.