{"id":"https://openalex.org/W7160014534","doi":"https://doi.org/10.48550/arxiv.2605.00297","title":"Trident: Improving Malware Detection with LLMs and Behavioral Features","display_name":"Trident: Improving Malware Detection with LLMs and Behavioral Features","publication_year":2026,"publication_date":"2026-04-30","ids":{"openalex":"https://openalex.org/W7160014534","doi":"https://doi.org/10.48550/arxiv.2605.00297"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2605.00297","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.00297","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2605.00297","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5028001470","display_name":"Rebecca Saul","orcid":"https://orcid.org/0009-0002-5526-9093"},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Saul, Rebecca","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135274646","display_name":"Jingzhi Jiang","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Jiang, Jingzhi","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5135146250","display_name":"Elliott Chia","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chia, Elliott","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5135197187","display_name":"David Wagner","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Wagner, David","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":4,"corresponding_author_ids":["https://openalex.org/A5028001470"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9291999936103821,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9291999936103821,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12761","display_name":"Data Stream Mining Techniques","score":0.036400001496076584,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.009600000455975533,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/sandbox","display_name":"Sandbox (software development)","score":0.8747000098228455},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.7771000266075134},{"id":"https://openalex.org/keywords/decision-tree","display_name":"Decision tree","score":0.567799985408783},{"id":"https://openalex.org/keywords/static-analysis","display_name":"Static analysis","score":0.4896000027656555},{"id":"https://openalex.org/keywords/behavioral-analysis","display_name":"Behavioral analysis","score":0.4715999960899353},{"id":"https://openalex.org/keywords/leverage","display_name":"Leverage (statistics)","score":0.4580000042915344},{"id":"https://openalex.org/keywords/set","display_name":"Set (abstract data type)","score":0.4523000121116638},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.44780001044273376},{"id":"https://openalex.org/keywords/ensemble-learning","display_name":"Ensemble learning","score":0.4189000129699707}],"concepts":[{"id":"https://openalex.org/C167981075","wikidata":"https://www.wikidata.org/wiki/Q2667186","display_name":"Sandbox (software development)","level":2,"score":0.8747000098228455},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.7771000266075134},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7214999794960022},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.5823000073432922},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5752000212669373},{"id":"https://openalex.org/C84525736","wikidata":"https://www.wikidata.org/wiki/Q831366","display_name":"Decision tree","level":2,"score":0.567799985408783},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.4896000027656555},{"id":"https://openalex.org/C2989277270","wikidata":"https://www.wikidata.org/wiki/Q168338","display_name":"Behavioral analysis","level":2,"score":0.4715999960899353},{"id":"https://openalex.org/C153083717","wikidata":"https://www.wikidata.org/wiki/Q6535263","display_name":"Leverage (statistics)","level":2,"score":0.4580000042915344},{"id":"https://openalex.org/C177264268","wikidata":"https://www.wikidata.org/wiki/Q1514741","display_name":"Set (abstract data type)","level":2,"score":0.4523000121116638},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.44780001044273376},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.43320000171661377},{"id":"https://openalex.org/C45942800","wikidata":"https://www.wikidata.org/wiki/Q245652","display_name":"Ensemble learning","level":2,"score":0.4189000129699707},{"id":"https://openalex.org/C43364308","wikidata":"https://www.wikidata.org/wiki/Q8799","display_name":"Byte","level":2,"score":0.399399995803833},{"id":"https://openalex.org/C48105269","wikidata":"https://www.wikidata.org/wiki/Q1141160","display_name":"Header","level":2,"score":0.3776000142097473},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.3555000126361847},{"id":"https://openalex.org/C96865113","wikidata":"https://www.wikidata.org/wiki/Q2946816","display_name":"Certificate","level":2,"score":0.34790000319480896},{"id":"https://openalex.org/C63479239","wikidata":"https://www.wikidata.org/wiki/Q7353546","display_name":"Robustness (evolution)","level":3,"score":0.3452000021934509},{"id":"https://openalex.org/C46686674","wikidata":"https://www.wikidata.org/wiki/Q466303","display_name":"Boosting (machine learning)","level":2,"score":0.3305000066757202},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.30219998955726624},{"id":"https://openalex.org/C12267149","wikidata":"https://www.wikidata.org/wiki/Q282453","display_name":"Support vector machine","level":2,"score":0.30140000581741333},{"id":"https://openalex.org/C157486923","wikidata":"https://www.wikidata.org/wiki/Q1376436","display_name":"String (physics)","level":2,"score":0.3010999858379364},{"id":"https://openalex.org/C11192451","wikidata":"https://www.wikidata.org/wiki/Q2032038","display_name":"Stylometry","level":2,"score":0.290800005197525},{"id":"https://openalex.org/C113174947","wikidata":"https://www.wikidata.org/wiki/Q2859736","display_name":"Tree (set theory)","level":2,"score":0.28859999775886536},{"id":"https://openalex.org/C2779818221","wikidata":"https://www.wikidata.org/wiki/Q837330","display_name":"Bytecode","level":3,"score":0.2806999981403351},{"id":"https://openalex.org/C2776633304","wikidata":"https://www.wikidata.org/wiki/Q6038026","display_name":"Insider threat","level":3,"score":0.2793000042438507},{"id":"https://openalex.org/C42023084","wikidata":"https://www.wikidata.org/wiki/Q5249231","display_name":"Decision boundary","level":3,"score":0.26179999113082886},{"id":"https://openalex.org/C111065885","wikidata":"https://www.wikidata.org/wiki/Q1189053","display_name":"Fuzz testing","level":3,"score":0.2606000006198883},{"id":"https://openalex.org/C60777511","wikidata":"https://www.wikidata.org/wiki/Q3045002","display_name":"Concept drift","level":3,"score":0.25780001282691956},{"id":"https://openalex.org/C195324797","wikidata":"https://www.wikidata.org/wiki/Q33742","display_name":"Natural language","level":2,"score":0.25780001282691956}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2605.00297","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.00297","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2605.00297","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2605.00297","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"score":0.7067066431045532,"id":"https://metadata.un.org/sdg/16","display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Traditionally,":[0],"machine":[1],"learning":[2,166],"methods":[3,149,167],"for":[4],"PE":[5,19],"malware":[6,67,77],"detection":[7,68,78,93,134],"have":[8],"relied":[9],"on":[10,81],"static":[11,130,151],"features":[12,28],"like":[13],"byte":[14],"histograms,":[15],"string":[16],"information,":[17],"and":[18,60,136,157],"header":[20],"contents.":[21],"One":[22],"barrier":[23],"to":[24,54,74,103,161],"incorporating":[25],"dynamic":[26],"analysis":[27,139],"has":[29],"been":[30],"the":[31,42],"semi-structured":[32],"nature":[33],"of":[34,45,65,86,140],"sandbox":[35,141],"behavior":[36,58],"reports.":[37],"We":[38,89],"show":[39],"that,":[40],"using":[41,150],"latest":[43],"generation":[44],"large":[46],"language":[47],"models":[48],"with":[49],"reasoning,":[50],"it":[51],"is":[52,158],"possible":[53],"efficiently":[55],"process":[56],"these":[57,92],"reports":[59,142],"utilize":[61],"them":[62],"as":[63,159,164],"part":[64],"a":[66,82,120,124],"pipeline.":[69],"Specifically,":[70],"we":[71,117],"leverage":[72],"LLMs":[73],"generate":[75],"behavior-based":[76,133,154],"rules":[79,155],"based":[80],"small":[83],"training":[84],"set":[85],"labeled":[87],"malware.":[88],"find":[90],"that":[91],"rules,":[94,135],"derived":[95],"from":[96],"behavioral":[97],"features,":[98,131,152],"are":[99],"much":[100],"more":[101],"robust":[102],"concept":[104,162],"drift":[105,163],"than":[106],"standard":[107,148],"static-feature":[108],"methods,":[109],"while":[110],"maintaining":[111],"practical":[112],"false":[113],"positive":[114],"rates.":[115],"Finally,":[116],"introduce":[118],"Trident,":[119],"system":[121],"which":[122],"combines":[123],"classic":[125],"decision":[126],"tree":[127],"model":[128],"over":[129],"our":[132],"direct":[137],"LLM":[138],"through":[143],"majority":[144],"voting.":[145],"Trident":[146],"outperforms":[147,153],"alone,":[156],"resilient":[160],"active":[165],"without":[168],"requiring":[169],"retraining.":[170]},"counts_by_year":[],"updated_date":"2026-05-05T06:12:25.323381","created_date":"2026-05-05T00:00:00"}