{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2026:QUUVRVNUG4GZNOPJT3YITYTG5Y","short_pith_number":"pith:QUUVRVNU","canonical_record":{"source":{"id":"2605.21821","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-05-20T23:43:02Z","cross_cats_sorted":[],"title_canon_sha256":"9c557bf9b301a97538f3ae46cecb46e0c03233275f147c098207db5ea360cdad","abstract_canon_sha256":"b8a5f662fa42495f929b8061db56afbbef339b7cff7c6f18a910f41f330f1bf5"},"schema_version":"1.0"},"canonical_sha256":"852958d5b4370d96b9e99ef089e266ee3193cc93d221dd8ca28315e769893aa3","source":{"kind":"arxiv","id":"2605.21821","version":1},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.21821","created_at":"2026-05-22T01:04:09Z"},{"alias_kind":"arxiv_version","alias_value":"2605.21821v1","created_at":"2026-05-22T01:04:09Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.21821","created_at":"2026-05-22T01:04:09Z"},{"alias_kind":"pith_short_12","alias_value":"QUUVRVNUG4GZ","created_at":"2026-05-22T01:04:09Z"},{"alias_kind":"pith_short_16","alias_value":"QUUVRVNUG4GZNOPJ","created_at":"2026-05-22T01:04:09Z"},{"alias_kind":"pith_short_8","alias_value":"QUUVRVNU","created_at":"2026-05-22T01:04:09Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2026:QUUVRVNUG4GZNOPJT3YITYTG5Y","target":"record","payload":{"canonical_record":{"source":{"id":"2605.21821","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-05-20T23:43:02Z","cross_cats_sorted":[],"title_canon_sha256":"9c557bf9b301a97538f3ae46cecb46e0c03233275f147c098207db5ea360cdad","abstract_canon_sha256":"b8a5f662fa42495f929b8061db56afbbef339b7cff7c6f18a910f41f330f1bf5"},"schema_version":"1.0"},"canonical_sha256":"852958d5b4370d96b9e99ef089e266ee3193cc93d221dd8ca28315e769893aa3","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-22T01:04:09.435547Z","signature_b64":"GZWp5AroxWeg8oxyEzfhHjEZomKOz0HHVPXEm2fopI9sPZP3+F8/Qtbf41HlS5RZWLEU4iOLAnJ3tLmr8HmbDQ==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"852958d5b4370d96b9e99ef089e266ee3193cc93d221dd8ca28315e769893aa3","last_reissued_at":"2026-05-22T01:04:09.434769Z","signature_status":"signed_v1","first_computed_at":"2026-05-22T01:04:09.434769Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2605.21821","source_version":1,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-22T01:04:09Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"OimuGf5gFGfxUi1i2pf/84gOwPNgYQ1oOGoX83RpSIrvsHpKZBGNd9edoHtZxl1eL/fNk7F9G3EtjINiJf7QAA==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-25T02:47:28.151914Z"},"content_sha256":"ddf3c3c0c9566ed43e4c9bb768bf31204b9273f12de89994db5fcb543084075c","schema_version":"1.0","event_id":"sha256:ddf3c3c0c9566ed43e4c9bb768bf31204b9273f12de89994db5fcb543084075c"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2026:QUUVRVNUG4GZNOPJT3YITYTG5Y","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"A Large Language Model Approach to Generating Bypass Rules for Malware Evasion in Analysis Sandbox","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Aisha Ali-Gombe, Justin Woodring, Lamine Noureddine, Mst Eshita Khatun, Sideeq Bello, Zhiyong Sui","submitted_at":"2026-05-20T23:43:02Z","abstract_excerpt":"Sandbox evasion remains a critical challenge for automated malware analysis, as modern malware employs environment checks to detect analysis platforms and suppress malicious behavior. Existing approaches rely on manually crafted bypass rules that require deep reverse engineering of each evasion mechanism -an approach that cannot scale against rapidly evolving evasion techniques. In this paper, we leverage large language models (LLMs) to automatically generate YARA rules that bypass evasion checks in sandbox environments. We propose ABLE, which analyzes execution traces from malware terminated "},"claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2605.21821","kind":"arxiv","version":1},"verdict":{"id":null,"model_set":{},"created_at":null,"strongest_claim":"","one_line_summary":"","pipeline_version":null,"weakest_assumption":"","pith_extraction_headline":""},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2605.21821/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":null},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-22T01:04:09Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"p50FulPBAiRMtLsphXZpoSZdlA0qeRh8IETQwIWI8p3nxYbJqvQpdBWXLUd8xD8EIoM41fBIJ+u8dYi9DvcDCg==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-25T02:47:28.152706Z"},"content_sha256":"181f766c739ad63888e1f7f9ba2f04a948dde8b8e3126662eff41d68b9d37e63","schema_version":"1.0","event_id":"sha256:181f766c739ad63888e1f7f9ba2f04a948dde8b8e3126662eff41d68b9d37e63"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/QUUVRVNUG4GZNOPJT3YITYTG5Y/bundle.json","state_url":"https://pith.science/pith/QUUVRVNUG4GZNOPJT3YITYTG5Y/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/QUUVRVNUG4GZNOPJT3YITYTG5Y/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-05-25T02:47:28Z","links":{"resolver":"https://pith.science/pith/QUUVRVNUG4GZNOPJT3YITYTG5Y","bundle":"https://pith.science/pith/QUUVRVNUG4GZNOPJT3YITYTG5Y/bundle.json","state":"https://pith.science/pith/QUUVRVNUG4GZNOPJT3YITYTG5Y/state.json","well_known_bundle":"https://pith.science/.well-known/pith/QUUVRVNUG4GZNOPJT3YITYTG5Y/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:QUUVRVNUG4GZNOPJT3YITYTG5Y","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"b8a5f662fa42495f929b8061db56afbbef339b7cff7c6f18a910f41f330f1bf5","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-05-20T23:43:02Z","title_canon_sha256":"9c557bf9b301a97538f3ae46cecb46e0c03233275f147c098207db5ea360cdad"},"schema_version":"1.0","source":{"id":"2605.21821","kind":"arxiv","version":1}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.21821","created_at":"2026-05-22T01:04:09Z"},{"alias_kind":"arxiv_version","alias_value":"2605.21821v1","created_at":"2026-05-22T01:04:09Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.21821","created_at":"2026-05-22T01:04:09Z"},{"alias_kind":"pith_short_12","alias_value":"QUUVRVNUG4GZ","created_at":"2026-05-22T01:04:09Z"},{"alias_kind":"pith_short_16","alias_value":"QUUVRVNUG4GZNOPJ","created_at":"2026-05-22T01:04:09Z"},{"alias_kind":"pith_short_8","alias_value":"QUUVRVNU","created_at":"2026-05-22T01:04:09Z"}],"graph_snapshots":[{"event_id":"sha256:181f766c739ad63888e1f7f9ba2f04a948dde8b8e3126662eff41d68b9d37e63","target":"graph","created_at":"2026-05-22T01:04:09Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":0,"items":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"integrity":{"available":true,"clean":true,"detectors_run":[],"endpoint":"/pith/2605.21821/integrity.json","findings":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938","summary":{"advisory":0,"by_detector":{},"critical":0,"informational":0}},"paper":{"abstract_excerpt":"Sandbox evasion remains a critical challenge for automated malware analysis, as modern malware employs environment checks to detect analysis platforms and suppress malicious behavior. Existing approaches rely on manually crafted bypass rules that require deep reverse engineering of each evasion mechanism -an approach that cannot scale against rapidly evolving evasion techniques. In this paper, we leverage large language models (LLMs) to automatically generate YARA rules that bypass evasion checks in sandbox environments. We propose ABLE, which analyzes execution traces from malware terminated ","authors_text":"Aisha Ali-Gombe, Justin Woodring, Lamine Noureddine, Mst Eshita Khatun, Sideeq Bello, Zhiyong Sui","cross_cats":[],"headline":"","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-05-20T23:43:02Z","title":"A Large Language Model Approach to Generating Bypass Rules for Malware Evasion in Analysis Sandbox"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2605.21821","kind":"arxiv","version":1},"verdict":{"created_at":null,"id":null,"model_set":{},"one_line_summary":"","pipeline_version":null,"pith_extraction_headline":"","strongest_claim":"","weakest_assumption":""}},"verdict_id":null}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:ddf3c3c0c9566ed43e4c9bb768bf31204b9273f12de89994db5fcb543084075c","target":"record","created_at":"2026-05-22T01:04:09Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"b8a5f662fa42495f929b8061db56afbbef339b7cff7c6f18a910f41f330f1bf5","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2026-05-20T23:43:02Z","title_canon_sha256":"9c557bf9b301a97538f3ae46cecb46e0c03233275f147c098207db5ea360cdad"},"schema_version":"1.0","source":{"id":"2605.21821","kind":"arxiv","version":1}},"canonical_sha256":"852958d5b4370d96b9e99ef089e266ee3193cc93d221dd8ca28315e769893aa3","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"852958d5b4370d96b9e99ef089e266ee3193cc93d221dd8ca28315e769893aa3","first_computed_at":"2026-05-22T01:04:09.434769Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-22T01:04:09.434769Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"GZWp5AroxWeg8oxyEzfhHjEZomKOz0HHVPXEm2fopI9sPZP3+F8/Qtbf41HlS5RZWLEU4iOLAnJ3tLmr8HmbDQ==","signature_status":"signed_v1","signed_at":"2026-05-22T01:04:09.435547Z","signed_message":"canonical_sha256_bytes"},"source_id":"2605.21821","source_kind":"arxiv","source_version":1}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:ddf3c3c0c9566ed43e4c9bb768bf31204b9273f12de89994db5fcb543084075c","sha256:181f766c739ad63888e1f7f9ba2f04a948dde8b8e3126662eff41d68b9d37e63"],"state_sha256":"601ebf7303cfbec6db91f1141f136229fb4559a71d07d0d6ca3f88fde3f5ccbb"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"rH24QRzfa3hk51KbL7AILXo2/RJeReufZAVN0fxzr7NVnkRYe8Tufd7SPnvyhvoMqBREwMTQtsKnZYV4dw3eAQ==","signed_message":"bundle_sha256_bytes","signed_at":"2026-05-25T02:47:28.158753Z","bundle_sha256":"63d49a3c5b3809a5af3e1318c3d97cd946ce2608ea78448babcf150e46cc225f"}}