{"id":"https://openalex.org/W7125677113","doi":"https://doi.org/10.1145/3774904.3792083","title":"Bridging Expert Reasoning and LLM Detection: A Knowledge-Driven Framework for Malicious Packages","display_name":"Bridging Expert Reasoning and LLM Detection: A Knowledge-Driven Framework for Malicious Packages","publication_year":2026,"publication_date":"2026-04-09","ids":{"openalex":"https://openalex.org/W7125677113","doi":"https://doi.org/10.1145/3774904.3792083"},"language":null,"primary_location":{"id":"doi:10.1145/3774904.3792083","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3774904.3792083","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM Web Conference 2026","raw_type":"proceedings-article"},"type":"article","indexed_in":["arxiv","crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://doi.org/10.1145/3774904.3792083","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Wenbo Guo","orcid":"https://orcid.org/0000-0001-6655-8179"},"institutions":[{"id":"https://openalex.org/I172675005","display_name":"Nanyang Technological University","ror":"https://ror.org/02e7b5302","country_code":"SG","type":"education","lineage":["https://openalex.org/I172675005"]}],"countries":["SG"],"is_corresponding":true,"raw_author_name":"Wenbo Guo","raw_affiliation_strings":["Nanyang Technological University, Singapore, Singapore"],"raw_orcid":"https://orcid.org/0000-0001-6655-8179","affiliations":[{"raw_affiliation_string":"Nanyang Technological University, Singapore, Singapore","institution_ids":["https://openalex.org/I172675005"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5104094613","display_name":"Shiwen Song","orcid":null},"institutions":[{"id":"https://openalex.org/I79891267","display_name":"Singapore Management University","ror":"https://ror.org/050qmg959","country_code":"SG","type":"education","lineage":["https://openalex.org/I79891267"]}],"countries":["SG"],"is_corresponding":false,"raw_author_name":"Shiwen Song","raw_affiliation_strings":["Singapore Management University, Singapore, Singapore"],"raw_orcid":"https://orcid.org/0009-0008-7885-1135","affiliations":[{"raw_affiliation_string":"Singapore Management University, Singapore, Singapore","institution_ids":["https://openalex.org/I79891267"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5123833263","display_name":"Jiaxun Guo","orcid":null},"institutions":[{"id":"https://openalex.org/I24185976","display_name":"Sichuan University","ror":"https://ror.org/011ashp19","country_code":"CN","type":"education","lineage":["https://openalex.org/I24185976"]},{"id":"https://openalex.org/I64852412","display_name":"Sichuan University of Science and Engineering","ror":"https://ror.org/053fzma23","country_code":"CN","type":"education","lineage":["https://openalex.org/I64852412"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Jiaxun Guo","raw_affiliation_strings":["Sichuan University, China, China"],"raw_orcid":"https://orcid.org/0009-0003-6004-1277","affiliations":[{"raw_affiliation_string":"Sichuan University, China, China","institution_ids":["https://openalex.org/I24185976","https://openalex.org/I64852412"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5123874808","display_name":"Zhengzi Xu","orcid":null},"institutions":[{"id":"https://openalex.org/I4210136567","display_name":"GlobalFoundries (Singapore)","ror":"https://ror.org/03whnfd14","country_code":"SG","type":"company","lineage":["https://openalex.org/I35662394","https://openalex.org/I4210136567"]}],"countries":["SG"],"is_corresponding":false,"raw_author_name":"Zhengzi Xu","raw_affiliation_strings":["Imperial Global Singapore, Singapore, Singapore"],"raw_orcid":"https://orcid.org/0000-0002-8390-7518","affiliations":[{"raw_affiliation_string":"Imperial Global Singapore, Singapore, Singapore","institution_ids":["https://openalex.org/I4210136567"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5123854118","display_name":"Chengwei Liu","orcid":null},"institutions":[{"id":"https://openalex.org/I172675005","display_name":"Nanyang Technological University","ror":"https://ror.org/02e7b5302","country_code":"SG","type":"education","lineage":["https://openalex.org/I172675005"]}],"countries":["SG"],"is_corresponding":false,"raw_author_name":"Chengwei Liu","raw_affiliation_strings":["Nanyang Technological University, Singapore, Singapore"],"raw_orcid":"https://orcid.org/0000-0003-1175-2753","affiliations":[{"raw_affiliation_string":"Nanyang Technological University, Singapore, Singapore","institution_ids":["https://openalex.org/I172675005"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5123822859","display_name":"Haoran Ou","orcid":null},"institutions":[{"id":"https://openalex.org/I172675005","display_name":"Nanyang Technological University","ror":"https://ror.org/02e7b5302","country_code":"SG","type":"education","lineage":["https://openalex.org/I172675005"]}],"countries":["SG"],"is_corresponding":false,"raw_author_name":"Haoran Ou","raw_affiliation_strings":["Nanyang Technological University, Singapore, Singapore"],"raw_orcid":"https://orcid.org/0009-0009-6501-2655","affiliations":[{"raw_affiliation_string":"Nanyang Technological University, Singapore, Singapore","institution_ids":["https://openalex.org/I172675005"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Mengmeng Ge","orcid":"https://orcid.org/0000-0001-6912-6152"},"institutions":[{"id":"https://openalex.org/I172675005","display_name":"Nanyang Technological University","ror":"https://ror.org/02e7b5302","country_code":"SG","type":"education","lineage":["https://openalex.org/I172675005"]}],"countries":["SG"],"is_corresponding":false,"raw_author_name":"Mengmeng Ge","raw_affiliation_strings":["Nanyang Technological University, Singapore, Singapore"],"raw_orcid":"https://orcid.org/0000-0001-6912-6152","affiliations":[{"raw_affiliation_string":"Nanyang Technological University, Singapore, Singapore","institution_ids":["https://openalex.org/I172675005"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5123870214","display_name":"Yang Liu","orcid":null},"institutions":[{"id":"https://openalex.org/I172675005","display_name":"Nanyang Technological University","ror":"https://ror.org/02e7b5302","country_code":"SG","type":"education","lineage":["https://openalex.org/I172675005"]}],"countries":["SG"],"is_corresponding":false,"raw_author_name":"Yang Liu","raw_affiliation_strings":["Nanyang Technological University, Singapore, Singapore"],"raw_orcid":"https://orcid.org/0000-0001-7300-9215","affiliations":[{"raw_affiliation_string":"Nanyang Technological University, Singapore, Singapore","institution_ids":["https://openalex.org/I172675005"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":8,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I172675005"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":{"value":0.15874295,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":"3554","last_page":"3565"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.7419999837875366,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.7419999837875366,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.07180000096559525,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.053599998354911804,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/bridging","display_name":"Bridging (networking)","score":0.7360000014305115},{"id":"https://openalex.org/keywords/expert-system","display_name":"Expert system","score":0.5950999855995178},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.5016000270843506},{"id":"https://openalex.org/keywords/knowledge-base","display_name":"Knowledge base","score":0.47290000319480896},{"id":"https://openalex.org/keywords/automated-reasoning","display_name":"Automated reasoning","score":0.42419999837875366},{"id":"https://openalex.org/keywords/legal-expert-system","display_name":"Legal expert system","score":0.41620001196861267},{"id":"https://openalex.org/keywords/model-based-reasoning","display_name":"Model-based reasoning","score":0.40799999237060547},{"id":"https://openalex.org/keywords/subject-matter-expert","display_name":"Subject-matter expert","score":0.3359000086784363}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8044999837875366},{"id":"https://openalex.org/C174348530","wikidata":"https://www.wikidata.org/wiki/Q188635","display_name":"Bridging (networking)","level":2,"score":0.7360000014305115},{"id":"https://openalex.org/C58328972","wikidata":"https://www.wikidata.org/wiki/Q184609","display_name":"Expert system","level":2,"score":0.5950999855995178},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.5016000270843506},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.474700003862381},{"id":"https://openalex.org/C4554734","wikidata":"https://www.wikidata.org/wiki/Q593744","display_name":"Knowledge base","level":2,"score":0.47290000319480896},{"id":"https://openalex.org/C195344581","wikidata":"https://www.wikidata.org/wiki/Q2555318","display_name":"Automated reasoning","level":2,"score":0.42419999837875366},{"id":"https://openalex.org/C102600418","wikidata":"https://www.wikidata.org/wiki/Q6517507","display_name":"Legal expert system","level":3,"score":0.41620001196861267},{"id":"https://openalex.org/C37335422","wikidata":"https://www.wikidata.org/wiki/Q6888134","display_name":"Model-based reasoning","level":3,"score":0.40799999237060547},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.3463999927043915},{"id":"https://openalex.org/C105002631","wikidata":"https://www.wikidata.org/wiki/Q4833645","display_name":"Subject-matter expert","level":3,"score":0.3359000086784363},{"id":"https://openalex.org/C157170001","wikidata":"https://www.wikidata.org/wiki/Q4781507","display_name":"Applications of artificial intelligence","level":2,"score":0.3052999973297119},{"id":"https://openalex.org/C115901376","wikidata":"https://www.wikidata.org/wiki/Q184199","display_name":"Automation","level":2,"score":0.2904999852180481},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.2766999900341034},{"id":"https://openalex.org/C2777220311","wikidata":"https://www.wikidata.org/wiki/Q6423340","display_name":"Knowledge acquisition","level":2,"score":0.27649998664855957},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.272599995136261},{"id":"https://openalex.org/C161301231","wikidata":"https://www.wikidata.org/wiki/Q3478658","display_name":"Knowledge representation and reasoning","level":2,"score":0.266400009393692},{"id":"https://openalex.org/C52146309","wikidata":"https://www.wikidata.org/wiki/Q7431116","display_name":"Schema (genetic algorithms)","level":2,"score":0.263700008392334},{"id":"https://openalex.org/C517642484","wikidata":"https://www.wikidata.org/wiki/Q2388514","display_name":"Intelligence analysis","level":2,"score":0.2630000114440918},{"id":"https://openalex.org/C42058472","wikidata":"https://www.wikidata.org/wiki/Q810214","display_name":"Base (topology)","level":2,"score":0.26179999113082886},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.25279998779296875},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.2524999976158142},{"id":"https://openalex.org/C2779639559","wikidata":"https://www.wikidata.org/wiki/Q7661178","display_name":"Symbolic execution","level":3,"score":0.25040000677108765}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3774904.3792083","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3774904.3792083","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM Web Conference 2026","raw_type":"proceedings-article"},{"id":"pmh:oai:arXiv.org:2601.16458","is_oa":true,"landing_page_url":"http://arxiv.org/abs/2601.16458","pdf_url":"https://arxiv.org/pdf/2601.16458","source":{"id":"https://openalex.org/S4393918464","display_name":"ArXiv.org","issn_l":"2331-8422","issn":["2331-8422"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"text"}],"best_oa_location":{"id":"doi:10.1145/3774904.3792083","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3774904.3792083","pdf_url":null,"source":null,"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM Web Conference 2026","raw_type":"proceedings-article"},"sustainable_development_goals":[{"display_name":"Life in Land","score":0.5270608067512512,"id":"https://metadata.un.org/sdg/15"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Open-source":[0],"ecosystems":[1],"such":[2],"as":[3],"NPM":[4],"and":[5,72,85,109,134],"PyPI":[6],"are":[7],"increasingly":[8],"targeted":[9],"by":[10,138],"supply":[11],"chain":[12],"attacks,":[13],"yet":[14],"existing":[15],"detection":[16,136],"methods":[17],"either":[18],"depend":[19],"on":[20,99,119,123],"fragile":[21],"handcrafted":[22],"rules":[23],"or":[24],"data-driven":[25],"features":[26],"that":[27,43,104],"fail":[28],"to":[29,89],"capture":[30],"evolving":[31],"attack":[32],"semantics.":[33],"We":[34],"present":[35],"IntelGuard,":[36],"a":[37,55,110],"retrieval-augmented":[38],"generation":[39],"(RAG)":[40],"based":[41],"framework":[42],"integrates":[44],"expert":[45,73,139],"analytical":[46],"reasoning":[47,88],"into":[48],"automated":[49],"malicious":[50,66,83,130],"package":[51],"detection.":[52],"IntelGuard":[53,105],"constructs":[54],"structured":[56],"knowledge":[57],"base":[58],"from":[59],"over":[60],"8,000":[61],"threat":[62],"intelligence":[63],"reports,":[64],"linking":[65],"code":[67,92],"snippets":[68],"with":[69,95],"behavioral":[70],"descriptions":[71],"reasoning.":[74],"When":[75],"analyzing":[76],"new":[77],"packages,":[78,131],"it":[79,125],"retrieves":[80],"semantically":[81],"similar":[82],"examples":[84],"applies":[86],"LLM-guided":[87],"assess":[90],"whether":[91],"behaviors":[93],"align":[94],"intended":[96],"functionality.":[97],"Experiments":[98],"4,027":[100],"real-world":[101],"packages":[102],"show":[103],"achieves":[106],"99%":[107],"accuracy":[108,118],"0.50%":[111],"false":[112],"positive":[113],"rate,":[114],"while":[115],"maintaining":[116],"96.5%":[117],"obfuscated":[120],"code.":[121],"Deployed":[122],"PyPI.org,":[124],"discovered":[126],"54":[127],"previously":[128],"unreported":[129],"demonstrating":[132],"interpretable":[133],"robust":[135],"guided":[137],"knowledge.":[140]},"counts_by_year":[],"updated_date":"2026-04-25T08:17:42.794288","created_date":"2026-01-27T00:00:00"}