{"id":"https://openalex.org/W7130535881","doi":"https://doi.org/10.48550/arxiv.2602.16304","title":"Mind the Gap: Evaluating LLMs for High-Level Malicious Package Detection vs. Fine-Grained Indicator Identification","display_name":"Mind the Gap: Evaluating LLMs for High-Level Malicious Package Detection vs. Fine-Grained Indicator Identification","publication_year":2026,"publication_date":"2026-02-18","ids":{"openalex":"https://openalex.org/W7130535881","doi":"https://doi.org/10.48550/arxiv.2602.16304"},"language":null,"primary_location":{"id":"pmh:doi:10.48550/arxiv.2602.16304","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":null,"any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5126373601","display_name":"Ahmed Ryan","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Ryan, Ahmed","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5011820532","display_name":"Ibrahim Khalil","orcid":"https://orcid.org/0000-0002-3851-0968"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Khalil, Ibrahim","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5126438683","display_name":"Abdullah Al Jahid","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jahid, Abdullah Al","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5126408446","display_name":"Md Erfan","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Erfan, Md","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":null,"display_name":"Park, Sungbin","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Park, Sungbin","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101684353","display_name":"Md Rayhanur Rahman","orcid":"https://orcid.org/0000-0003-4980-7350"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Rahman, Akond Ashfaque Ur","raw_affiliation_strings":[],"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5101684353","display_name":"Md Rayhanur Rahman","orcid":"https://orcid.org/0000-0003-4980-7350"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Rahman, Md Rayhanur","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5126373601"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.855400025844574,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.855400025844574,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.03449999913573265,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.028699999675154686,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/identification","display_name":"Identification (biology)","score":0.6503999829292297},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.6133000254631042},{"id":"https://openalex.org/keywords/task","display_name":"Task (project management)","score":0.5583000183105469},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.532800018787384},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.48840001225471497},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.3837999999523163},{"id":"https://openalex.org/keywords/binary-number","display_name":"Binary number","score":0.3594000041484833}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7311999797821045},{"id":"https://openalex.org/C116834253","wikidata":"https://www.wikidata.org/wiki/Q2039217","display_name":"Identification (biology)","level":2,"score":0.6503999829292297},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.6133000254631042},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.5583000183105469},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.532800018787384},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.48840001225471497},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.4438000023365021},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.38670000433921814},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.3837999999523163},{"id":"https://openalex.org/C48372109","wikidata":"https://www.wikidata.org/wiki/Q3913","display_name":"Binary number","level":2,"score":0.3594000041484833},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.3582000136375427},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3508000075817108},{"id":"https://openalex.org/C66905080","wikidata":"https://www.wikidata.org/wiki/Q17005494","display_name":"Binary classification","level":3,"score":0.33739998936653137},{"id":"https://openalex.org/C163258240","wikidata":"https://www.wikidata.org/wiki/Q25342","display_name":"Power (physics)","level":2,"score":0.33379998803138733},{"id":"https://openalex.org/C2777402642","wikidata":"https://www.wikidata.org/wiki/Q2557224","display_name":"Explanatory power","level":2,"score":0.311599999666214},{"id":"https://openalex.org/C12174686","wikidata":"https://www.wikidata.org/wiki/Q1058438","display_name":"Risk assessment","level":2,"score":0.31139999628067017},{"id":"https://openalex.org/C175154964","wikidata":"https://www.wikidata.org/wiki/Q380077","display_name":"Task analysis","level":3,"score":0.29089999198913574},{"id":"https://openalex.org/C2778136018","wikidata":"https://www.wikidata.org/wiki/Q10350689","display_name":"Predictive power","level":2,"score":0.2849000096321106},{"id":"https://openalex.org/C3020440742","wikidata":"https://www.wikidata.org/wiki/Q1176855","display_name":"Software package","level":3,"score":0.2847999930381775},{"id":"https://openalex.org/C45804977","wikidata":"https://www.wikidata.org/wiki/Q7239673","display_name":"Predictive modelling","level":2,"score":0.2831000089645386}],"mesh":[],"locations_count":2,"locations":[{"id":"pmh:doi:10.48550/arxiv.2602.16304","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},{"id":"doi:10.48550/arxiv.2602.16304","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2602.16304","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"pmh:doi:10.48550/arxiv.2602.16304","is_oa":true,"landing_page_url":null,"pdf_url":null,"source":{"id":"https://openalex.org/S4406922384","display_name":"Open MIND","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"publisher-specific-oa","license_id":"https://openalex.org/licenses/publisher-specific-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"Article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.5279515385627747,"id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"The":[0],"prevalence":[1],"of":[2,51,63,86,95,152],"malicious":[3,39,56,88,138],"packages":[4,40,65],"in":[5,37,112,120],"open-source":[6],"repositories,":[7],"such":[8],"as":[9,27],"PyPI,":[10],"poses":[11],"a":[12,28,48,60,108,165],"critical":[13],"threat":[14],"to":[15,135],"the":[16,93,132,150,196,201,209],"software":[17,57],"supply":[18],"chain.":[19],"While":[20,115],"Large":[21],"Language":[22],"Models":[23],"(LLMs)":[24],"have":[25,180],"emerged":[26],"promising":[29],"tool":[30],"for":[31,54,147,205],"automated":[32],"security":[33],"tasks,":[34],"their":[35],"effectiveness":[36],"detecting":[38,55,161],"and":[41,68,82,100,177],"indicators":[42],"remains":[43],"underexplored.":[44],"This":[45],"paper":[46],"presents":[47],"systematic":[49],"evaluation":[50],"13":[52],"LLMs":[53,191],"packages.":[58],"Using":[59],"curated":[61],"dataset":[62],"4,070":[64],"(3,700":[66],"benign":[67],"370":[69],"malicious),":[70],"we":[71],"evaluate":[72],"model":[73,101],"performance":[74,119,126],"across":[75],"two":[76],"tasks:":[77],"binary":[78,121],"classification":[79,84],"(package":[80],"detection)":[81],"multi-label":[83],"(identification":[85],"specific":[87,137],"indicators).":[89],"We":[90,106,140,187],"further":[91],"investigate":[92],"impact":[94],"prompting":[96],"strategies,":[97],"temperature":[98],"settings,":[99],"specifications":[102],"on":[103],"detection":[104,122,185],"accuracy.":[105,186],"find":[107],"significant":[109],"\"granularity":[110],"gap\"":[111],"LLMs'":[113],"capabilities.":[114],"GPT-4.1":[116],"achieves":[117],"near-perfect":[118],"(F1":[123],"$\\approx$":[124],"0.99),":[125],"degrades":[127],"by":[128],"approximately":[129],"41\\%":[130],"when":[131],"task":[133],"shifts":[134],"identifying":[136],"indicators.":[139],"observe":[141],"that":[142,163,174,189],"general":[143],"models":[144,157],"are":[145,158,192],"best":[146],"filtering":[148],"out":[149],"majority":[151],"threats,":[153],"while":[154,190],"specialized":[155],"coder":[156],"better":[159],"at":[160,195,208],"attacks":[162],"follow":[164],"strict,":[166],"predictable":[167],"code":[168],"structure.":[169],"Our":[170],"correlation":[171],"analysis":[172],"indicates":[173],"parameter":[175],"size":[176],"context":[178],"width":[179],"negligible":[181],"explanatory":[182],"power":[183],"regarding":[184],"conclude":[188],"powerful":[193],"detectors":[194],"package":[197],"level,":[198],"they":[199],"lack":[200],"semantic":[202],"depth":[203],"required":[204],"precise":[206],"identification":[207],"granular":[210],"indicator":[211],"level.":[212]},"counts_by_year":[],"updated_date":"2026-04-04T16:13:02.066488","created_date":"2026-02-20T00:00:00"}