{"id":"https://openalex.org/W7135233431","doi":"https://doi.org/10.1109/iccp68926.2025.11427171","title":"ArA - Evaluating LLM Suitability as Out-of-the-Box Malware Analysts","display_name":"ArA - Evaluating LLM Suitability as Out-of-the-Box Malware Analysts","publication_year":2025,"publication_date":"2025-10-16","ids":{"openalex":"https://openalex.org/W7135233431","doi":"https://doi.org/10.1109/iccp68926.2025.11427171"},"language":null,"primary_location":{"id":"doi:10.1109/iccp68926.2025.11427171","is_oa":false,"landing_page_url":"https://doi.org/10.1109/iccp68926.2025.11427171","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE 21st International Conference on Intelligent Computer Communication and Processing (ICCP)","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5129022494","display_name":"Gabriel-C\u0103t\u0103lin Rat","orcid":null},"institutions":[{"id":"https://openalex.org/I158333966","display_name":"Technical University of Cluj-Napoca","ror":"https://ror.org/03r8nwp71","country_code":"RO","type":"education","lineage":["https://openalex.org/I158333966"]}],"countries":["RO"],"is_corresponding":true,"raw_author_name":"Gabriel-C\u0103t\u0103lin Rat","raw_affiliation_strings":["Technical University of Cluj-Napoca,Bitdefender"],"affiliations":[{"raw_affiliation_string":"Technical University of Cluj-Napoca,Bitdefender","institution_ids":["https://openalex.org/I158333966"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5058646010","display_name":"Andrei Popoviciu","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Andrei Popoviciu","raw_affiliation_strings":["Bitdefender"],"affiliations":[{"raw_affiliation_string":"Bitdefender","institution_ids":[]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5006746992","display_name":"Radu-Marian Portase","orcid":null},"institutions":[{"id":"https://openalex.org/I158333966","display_name":"Technical University of Cluj-Napoca","ror":"https://ror.org/03r8nwp71","country_code":"RO","type":"education","lineage":["https://openalex.org/I158333966"]}],"countries":["RO"],"is_corresponding":false,"raw_author_name":"Radu-Marian Portase","raw_affiliation_strings":["Technical University of Cluj-Napoca,Bitdefender"],"affiliations":[{"raw_affiliation_string":"Technical University of Cluj-Napoca,Bitdefender","institution_ids":["https://openalex.org/I158333966"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5128995161","display_name":"Adrian Cole\u015fa","orcid":null},"institutions":[{"id":"https://openalex.org/I158333966","display_name":"Technical University of Cluj-Napoca","ror":"https://ror.org/03r8nwp71","country_code":"RO","type":"education","lineage":["https://openalex.org/I158333966"]}],"countries":["RO"],"is_corresponding":false,"raw_author_name":"Adrian Cole\u015fa","raw_affiliation_strings":["Technical University of Cluj-Napoca,Bitdefender"],"affiliations":[{"raw_affiliation_string":"Technical University of Cluj-Napoca,Bitdefender","institution_ids":["https://openalex.org/I158333966"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5129022494"],"corresponding_institution_ids":["https://openalex.org/I158333966"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.76490497,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"1","last_page":"8"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.8913999795913696,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.8913999795913696,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.025800000876188278,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.012000000104308128,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.31529998779296875},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.2549000084400177},{"id":"https://openalex.org/keywords/the-internet","display_name":"The Internet","score":0.2515999972820282},{"id":"https://openalex.org/keywords/information-system","display_name":"Information system","score":0.25130000710487366}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5449000000953674},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4325000047683716},{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.34950000047683716},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.31529998779296875},{"id":"https://openalex.org/C108827166","wikidata":"https://www.wikidata.org/wiki/Q175975","display_name":"Internet privacy","level":1,"score":0.29789999127388},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.25859999656677246},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.2549000084400177},{"id":"https://openalex.org/C110875604","wikidata":"https://www.wikidata.org/wiki/Q75","display_name":"The Internet","level":2,"score":0.2515999972820282},{"id":"https://openalex.org/C180198813","wikidata":"https://www.wikidata.org/wiki/Q121182","display_name":"Information system","level":2,"score":0.25130000710487366},{"id":"https://openalex.org/C145097563","wikidata":"https://www.wikidata.org/wiki/Q1148747","display_name":"Payment","level":2,"score":0.24770000576972961}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1109/iccp68926.2025.11427171","is_oa":false,"landing_page_url":"https://doi.org/10.1109/iccp68926.2025.11427171","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"2025 IEEE 21st International Conference on Intelligent Computer Communication and Processing (ICCP)","raw_type":"proceedings-article"}],"best_oa_location":null,"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":4,"referenced_works":["https://openalex.org/W3111533025","https://openalex.org/W4401004521","https://openalex.org/W4408061892","https://openalex.org/W4416036707"],"related_works":[],"abstract_inverted_index":{"Security":[0],"operations":[1],"centers":[2],"(SOCs)":[3],"are":[4],"increasingly":[5],"deploying":[6],"large":[7],"language":[8],"models":[9,95,137],"(LLMs)":[10],"to":[11,77,221],"assist":[12],"human":[13],"analysts;":[14],"however,":[15],"the":[16,67,79,115,155,174],"reliability":[17],"of":[18,176,210],"off-the-shelf":[19],"LLMs":[20,31,187],"for":[21,199,226],"malware":[22,36,52,107,128,144,191,224],"analysis":[23,225],"remains":[24],"uncertain.":[25],"This":[26],"paper":[27],"investigates":[28],"whether":[29],"state-of-the-art":[30],"can":[32,188],"serve":[33],"as":[34,81],"\u201cvirtual":[35],"analysts\u201d":[37],"without":[38],"task-specific":[39],"fine-tuning.":[40],"We":[41,85,163],"introduce":[42],"ArA":[43,59],"(Artificial":[44],"Analyst),":[45],"a":[46,63,99,102],"novel":[47],"system":[48],"that":[49,185],"combines":[50],"dynamic":[51],"sandboxing":[53],"with":[54],"an":[55,75],"LLM-based":[56,223],"reasoning":[57],"engine.":[58],"executes":[60],"programs":[61],"in":[62,193],"controlled":[64],"environment,":[65],"translates":[66],"observed":[68],"behaviour":[69,80,211],"into":[70],"natural-language":[71],"reports,":[72],"and":[73,98,109,130,173,213,217],"prompts":[74],"LLM":[76],"classify":[78],"malicious":[82],"or":[83],"benign.":[84],"evaluated":[86],"12":[87],"modern":[88],"LLMs-including":[89],"GPT-4,":[90],"its":[91],"distilled":[92],"variants,":[93],"open-source":[94,136],"(1B-27B":[96],"parameters),":[97],"security-tuned":[100,156],"model-on":[101],"dataset":[103],"comprising":[104],"712":[105],"real":[106],"samples":[108,129],"304":[110],"benign":[111,133,152],"programs.":[112],"GPT-4":[113],"achieved":[114],"highest":[116],"accuracy":[117],"at":[118],"95%":[119],"(macro":[120],"F1":[121],"=":[122],"0.93),":[123],"correctly":[124],"identifying":[125],"nearly":[126],"all":[127],"rarely":[131],"mislabeling":[132],"software.":[134],"Smaller":[135],"demonstrated":[138],"mixed":[139],"performance;":[140],"some":[141],"attained":[142],"perfect":[143],"recall":[145],"but":[146],"exhibited":[147],"higher":[148],"false-positive":[149,171],"rates":[150],"on":[151],"data,":[153],"while":[154],"8B":[157],"model":[158],"performed":[159],"below":[160],"general-purpose":[161],"models.":[162],"analyse":[164],"each":[165],"model\u2019s":[166],"strengths,":[167],"common":[168],"errors":[169],"(e.g.,":[170],"biases),":[172],"usage":[175],"tentative":[177],"(\u201csuspicious\u201d)":[178],"versus":[179],"definitive":[180],"labels.":[181],"Our":[182],"findings":[183],"demonstrate":[184],"advanced":[186],"accurately":[189],"distinguish":[190],"behaviours":[192],"zeroshot":[194],"settings,":[195],"offering":[196],"immediate":[197],"value":[198],"SOC":[200],"triage.":[201],"However,":[202],"we":[203],"also":[204],"highlight":[205],"limitations,":[206],"including":[207],"insufficient":[208],"coverage":[209],"variations":[212],"limited":[214],"explanation":[215],"quality,":[216],"discuss":[218],"future":[219],"steps":[220],"enhance":[222],"practical":[227],"deployment.":[228]},"counts_by_year":[],"updated_date":"2026-03-15T07:15:06.534987","created_date":"2026-03-14T00:00:00"}