An experimental framework and annotated dataset show LLM-generated PowerShell malware triggers OS events with median 84.5% Jaccard overlap to real malware and 48.4% complete matches.
MalGEN: A Testbed for Modeling and Evaluating Malware Behaviors
4 Pith papers cite this work. Polarity classification is still indexing.
abstract
Modern cybersecurity requires systematic ways to evaluate how detection systems respond to evolving and previously unseen attack behaviors. Existing malware repositories largely capture known patterns and provide limited support for stress-testing defenses against novel threats. To address this, we present MalGEN, a modular testbed that models adversarial workflows and generates executable artifacts in a controlled environment. The framework decomposes high-level attack objectives into structured stages, enabling the synthesis of diverse and multi-stage behaviors. We evaluate MalGEN across 1,920 benchmark settings covering multiple platforms and behavioral objectives, resulting in 977 executable samples. Analysis shows that the generated artifacts exhibit a wide range of malicious techniques and multi-stage attack patterns. However, 45.71% of these samples remain undetected by existing detection engines, which reveals notable gaps in current defenses. These findings provide practical insights into the limitations of widely used detection approaches and support the development of more robust security evaluation and testing practices.
citation-role summary
citation-polarity summary
roles
background 1polarities
support 1representative citing papers
uGen is the first retrieval-augmented multi-agent LLM framework for generating functionally correct microarchitectural attack PoCs, reporting up to 100% success on Spectre-v1 and 80% on Prime+Probe at low cost.
A single commercial LLM can cheaply generate large populations of behaviorally equivalent yet structurally diverse malware payloads.