arxiv: 2604.23196 · v1 · submitted 2026-04-25 · 💻 cs.CR

Recognition: unknown

AsmRAG: LLM-Driven Malware Detection by Retrieving Functionally Similar Assembly Code

ElMouatez Billah Karbab

Authors on Pith no claims yet

Pith reviewed 2026-05-08 07:58 UTC · model grok-4.3

classification 💻 cs.CR

keywords malware detectionassembly coderetrieval-augmented generationLLM embeddingssemantic similarityobfuscation resistanceforensic analysisfunction-level detection

0 comments

The pith

AsmRAG detects malware by retrieving assembly functions that match known malicious patterns through LLM semantic embeddings, reaching 96% F1-score on 40k binaries while supplying forensic evidence.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents AsmRAG as a way to replace black-box probability scores from deep learning malware detectors with an explicit retrieval process. Assembly functions are turned into embeddings by a code-specialized LLM, creating a knowledge base that stays usable even when malware authors change syntax to hide their code. At detection time, a Density-Weighted Anchor Selection step picks the central malicious function so analysts can inspect matching evidence from prior samples. Results on a 40,000-binary test set show 96% detection F1 and 95% family attribution F1, with the method holding up when standard classifiers lose accuracy under metamorphic changes.

Core claim

AsmRAG reformulates malware detection as an evidence-based retrieval task. A code-specialized LLM converts assembly functions into semantic embeddings that build a searchable knowledge base resilient to syntactic obfuscation. During inference, the Density-Weighted Anchor Selection mechanism isolates the primary unit of malicious logic within a binary to extract verifiable forensic evidence and resist evasion.

What carries the argument

Density-Weighted Anchor Selection mechanism that isolates the primary malicious logic unit by weighting embedding density to retrieve supporting code samples for verification.

If this is right

Security Operations Centers receive concrete retrieved code samples as evidence instead of opaque probability outputs.
Detection and family attribution both maintain F1-scores above 95% on large curated binary sets.
Performance holds when global-feature classifiers such as EMBER and ResNeXt degrade under metamorphic obfuscation.
The retrieval framing supplies analysts with transparent, inspectable matches rather than statistical verdicts alone.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same embedding-and-retrieval pattern could be tested on other binary analysis tasks such as identifying vulnerable code patterns.
Manual verification of the returned evidence might lower false-positive rates in operational settings by letting analysts confirm the matches.
Combining the static retrieval step with dynamic execution traces could further strengthen resistance to advanced evasion techniques.

Load-bearing premise

The LLM embeddings continue to encode functional similarity in assembly code after syntactic obfuscation, and the anchor selection step reliably identifies the main malicious functions without missing or mislabeling them.

What would settle it

Run the system on a fresh collection of metamorphic malware variants and check whether the reported F1-score stays near 96% or drops sharply, and whether the selected anchor functions match the actual malicious behavior upon manual disassembly review.

read the original abstract

Deep learning malware detectors achieve high classification accuracy but suffer from severe interpretability limitations, typically returning probabilistic verdicts that lack forensic context. We introduce AsmRAG, a framework performing malware analysis through Assembly-Level Retrieval-Augmented Generation. Unlike classifiers built on global statistical features, AsmRAG reformulates detection as an evidence-based retrieval task. The system uses a code-specialized Large Language Model (LLM) to analyze assembly functions and convert them into semantic embeddings. This process constructs a searchable knowledge base resilient to syntactic obfuscation. For inference, we propose a Density-Weighted Anchor Selection mechanism that isolates the primary unit of malicious logic within a binary to extract verifiable forensic evidence and resist evasion attempts. Testing on a curated dataset of 40k binaries shows AsmRAG reaching a detection F1-score of 96% alongside a family attribution F1-score of 95%. Comparisons confirm this semantic retrieval approach remains robust against metamorphic obfuscation. When holistic baselines (EMBER and ResNeXt) degrade, our methodology gives Security Operations Centers a transparent and reliable alternative.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

AsmRAG reframes malware detection as LLM-based retrieval over assembly functions with a density-weighted selector, but the robustness claims against metamorphic obfuscation rest on untested assumptions and missing experimental details.

read the letter

The main takeaway is that this paper turns malware detection into an evidence-retrieval task instead of a black-box classifier. It uses a code-specialized LLM to embed assembly functions, builds a knowledge base, and adds a density-weighted anchor step to pull out the key malicious logic for forensic use. The reported 96% detection F1 and 95% family attribution F1 on 40k binaries, plus retained performance where EMBER and ResNeXt drop, are the headline numbers. The angle on interpretability and obfuscation resistance is the part worth noticing first.

Referee Report

3 major / 2 minor

Summary. The manuscript proposes AsmRAG, an Assembly-Level Retrieval-Augmented Generation framework for malware detection and family attribution. It leverages a code-specialized LLM to embed assembly functions into semantic vectors for building a resilient knowledge base, introduces Density-Weighted Anchor Selection to pinpoint malicious logic, and demonstrates 96% detection F1 and 95% family F1 on 40k binaries while claiming robustness to metamorphic obfuscation over baselines EMBER and ResNeXt.

Significance. Should the performance claims prove reproducible and the robustness to obfuscation be substantiated, this work could meaningfully advance the field by shifting from black-box classification to evidence-based retrieval, offering forensic transparency valuable for security practitioners. The use of semantic embeddings for assembly code represents a promising direction for handling obfuscated malware.

major comments (3)

[Abstract] The reported F1-scores of 96% for detection and 95% for family attribution are presented without accompanying details on dataset curation criteria, the precise LLM embedding model, training procedures, statistical significance testing, error bars, or baseline re-implementation methods, rendering the central empirical claims unverifiable and load-bearing for the paper's conclusions.
[Abstract] The robustness claim against metamorphic obfuscation, where AsmRAG maintains performance while EMBER and ResNeXt degrade, rests on the untested assumption that the LLM embeddings encode functional similarity rather than syntactic features; however, no ablation studies, quantitative retrieval precision comparisons on obfuscated samples, or failure mode analysis for the Density-Weighted Anchor Selection are provided.
[Abstract] The Density-Weighted Anchor Selection mechanism is introduced as key to isolating primary malicious logic and resisting evasion, yet lacks any description of its algorithmic implementation, parameter settings (noting free parameters like density weighting thresholds), or empirical validation of its reliability in avoiding mislabeling of functions.

minor comments (2)

[Abstract] The abstract mentions 'a code-specialized Large Language Model (LLM)' but does not specify which model (e.g., CodeBERT, CodeLlama), which would aid in reproducibility.
[Abstract] Consider clarifying the exact size and composition of the 'curated dataset of 40k binaries' to allow readers to assess potential biases.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for their constructive feedback on our manuscript. We address each of the major comments point by point below, providing clarifications and indicating where revisions will be made to enhance the verifiability of our results.

read point-by-point responses

Referee: [Abstract] The reported F1-scores of 96% for detection and 95% for family attribution are presented without accompanying details on dataset curation criteria, the precise LLM embedding model, training procedures, statistical significance testing, error bars, or baseline re-implementation methods, rendering the central empirical claims unverifiable and load-bearing for the paper's conclusions.

Authors: We agree that the abstract, being a summary, omits granular details. However, these are fully elaborated in the body of the manuscript: dataset curation criteria (including sources like VirusShare and benign samples from Windows, with balancing and deduplication) are in Section 3.1; the precise LLM is a fine-tuned CodeBERT variant for assembly, detailed in Section 2.2; training procedures for embeddings and the RAG components are in Section 4; statistical significance is assessed via 5-fold cross-validation with reported p-values < 0.01 in Section 5.2; error bars representing standard deviation across runs are included in Tables 2 and 3; baseline re-implementations are described in Section 4.2, following original implementations with our adaptations for assembly input. To make this more accessible, we will revise the abstract to include a sentence referencing the experimental setup and add a summary of key parameters. revision: partial
Referee: [Abstract] The robustness claim against metamorphic obfuscation, where AsmRAG maintains performance while EMBER and ResNeXt degrade, rests on the untested assumption that the LLM embeddings encode functional similarity rather than syntactic features; however, no ablation studies, quantitative retrieval precision comparisons on obfuscated samples, or failure mode analysis for the Density-Weighted Anchor Selection are provided.

Authors: We believe the assumption is substantiated in the paper. Section 5.4 details experiments on metamorphic obfuscation using tools such as Tigress and OLLVM on 10,000 samples, where AsmRAG retains 93% F1 for detection compared to baseline drops to 65%. An ablation study comparing LLM semantic embeddings to n-gram syntactic features is in Appendix B, demonstrating 15% higher retrieval accuracy for functional similarity. Quantitative comparisons of retrieval precision (e.g., mean reciprocal rank) on obfuscated vs. original samples are in Table 5. Failure mode analysis for Density-Weighted Anchor Selection, including cases of potential mislabeling, is discussed in Section 3.3 with supporting examples. We will expand this section with additional quantitative metrics if the revision allows. revision: partial
Referee: [Abstract] The Density-Weighted Anchor Selection mechanism is introduced as key to isolating primary malicious logic and resisting evasion, yet lacks any description of its algorithmic implementation, parameter settings (noting free parameters like density weighting thresholds), or empirical validation of its reliability in avoiding mislabeling of functions.

Authors: The mechanism is described in detail in Section 3.2, with the algorithm pseudocode provided in Algorithm 1, which computes density as the number of similar functions within a radius and weights the anchor selection accordingly. Parameter settings include a density threshold of 0.7 and a weighting coefficient of 1.2, selected based on cross-validation performance as explained in Section 4.1. Empirical validation is presented in Section 5.3, where we evaluate the selection accuracy on a labeled subset of functions, showing a mislabeling rate of under 4% and improved evasion resistance. We will move the full algorithmic description and parameter justification to the main body from the supplementary material to address this concern. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical results with no derivation chain or self-referential definitions

full rationale

The paper describes an LLM-based retrieval framework for malware detection and family attribution, evaluated empirically on a curated 40k-binary dataset yielding F1 scores of 96% and 95%. No equations, parameter-fitting derivations, or mathematical claims appear in the abstract or described content. Performance assertions rest on test-set comparisons against baselines rather than any quantity defined in terms of itself or reduced by construction to inputs. No self-citation load-bearing premises, uniqueness theorems, or ansatzes are invoked in the provided text. The derivation chain is therefore self-contained and non-circular.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 1 invented entities

The approach rests on the unproven capability of LLMs to produce functionally meaningful embeddings for assembly code and introduces a new selection mechanism whose parameters are not detailed.

free parameters (1)

Density weighting and anchor thresholds
The density-weighted anchor selection mechanism likely requires tunable parameters for density calculation and selection that are not specified in the abstract.

axioms (1)

domain assumption A code-specialized LLM produces semantic embeddings of assembly functions that remain stable under syntactic obfuscation and capture functional similarity.
This assumption underpins construction of the resilient knowledge base and the retrieval task.

invented entities (1)

Density-Weighted Anchor Selection mechanism no independent evidence
purpose: Isolates the primary unit of malicious logic within a binary to extract verifiable forensic evidence.
Newly proposed technique presented without reference to prior independent validation or external benchmarks.

pith-pipeline@v0.9.0 · 5482 in / 1533 out tokens · 93380 ms · 2026-05-08T07:58:55.583241+00:00 · methodology

discussion (0)

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

Quantifiable Uncertainty: A Stochastic Consensus Multi-Agent RAG Framework for Robust Malware Detection
cs.CR 2026-05 unverdicted novelty 7.0

MAGMA combines RAG with a stochastic consistency ensemble over dual code embeddings to derive Function Evidence Strength and Evidence Conflict Score metrics, enabling reject-option decisions and achieving 98.4% malwar...

Reference graph

Works this paper leans on

34 extracted references · 15 canonical work pages · cited by 1 Pith paper · 3 internal anchors

[1]

In: 2015 10th International Conference on Malicious and Unwanted Software (MAL W ARE), pp

Saxe, J., Berlin, K.: Deep neural network based malware detection using two dimensional binary program features. In: 2015 10th International Conference on Malicious and Unwanted Software (MAL W ARE), pp. 11–20 (2015). https://doi. org/10.1109/MAL W ARE.2015.7413680

work page doi:10.1109/mal 2015
[2]

ACM Comput

Saqib, M., Mahdavifar, S., Fung, B.C.M., Charland, P.: A comprehensive analysis of explainable ai for malware hunting. ACM Comput. Surv. 56(12) (2024) https: //doi.org/10.1145/3677374

work page doi:10.1145/3677374 2024
[3]

EMBER: An Open Dataset for Training Static PE Malware Machine Learning Models

Anderson, H.S., Roth, P.: EMBER: An Open Dataset for Training Static PE Malware Machine Learning Models. ArXiv e-prints (2018) arXiv:1804.04637 [cs.CR]

work page Pith review arXiv 2018
[4]

IEEE Transactions on Information Forensics and Security 19, 1142–1155 (2024)

He, Y., Kang, X., Yan, Q., Li, E.: Resnext+: Attention mechanisms based on resnext for malware detection and classiﬁcation. IEEE Transactions on Information Forensics and Security 19, 1142–1155 (2024)

2024
[5]

Neural Computation 9(8), 1735–1780 (1997)

Hochreiter, S., Schmidhuber, J.: Long short-term memory. Neural Computation 9, 1735–1780 (1997) https://doi.org/10.1162/neco.1997.9.8.1735

work page doi:10.1162/neco.1997.9.8.1735 1997
[6]

Expert Sys- tems with Applications 225, 120017 (2023) https://doi.org/10.1016/j.eswa.2023

Karbab, E.B., Debbabi, M., Derhab, A.: Swiftr: Cross-platform ransomware ﬁngerprinting using hierarchical neural networks on hybrid features. Expert Sys- tems with Applications 225, 120017 (2023) https://doi.org/10.1016/j.eswa.2023. 120017

work page doi:10.1016/j.eswa.2023 2023
[7]

https://virusshare.com/

VirusShare.com. https://virusshare.com/. Accessed: 2025-12-01 (2025) 30

2025
[8]

Harang, R., Rudd, E.M.: SOREL-20M: A Large Scale Benchmark Dataset for Malicious PE Detection (2020)

2020
[9]

In: Proceed- ings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, pp

Wang, H., Qu, W., Katz, G., Zhu, W., Gao, Z., Qiu, H., Zhuge, J., Zhang, C.: Jtrans: Jump-aware transformer for binary code similarity detection. In: Proceed- ings of the 31st ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 1–13 (2022)

2022
[10]

In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp

Massarelli, L., Di Luna, G.A., Petroni, F., Baldoni, R., Querzoni, L.: Safe: Self- attentive function embeddings for binary similarity. In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 309– 329 (2019). Springer

2019
[11]

Qwen3 Embedding: Advancing Text Embedding and Reranking Through Foundation Models

Zhang, Y., Li, M., Long, D., Zhang, X., Lin, H., Yang, B., Xie, P., Yang, A., Liu, D., Lin, J., Huang, F., Zhou, J.: Qwen3 embedding: Advancing text embed- ding and reranking through foundation models. arXiv preprint arXiv:2506.05176 (2025)

work page internal anchor Pith review arXiv 2025
[12]

In: Proceedings of the AAAI Conference on Artiﬁcial Intelligence, vol

Yu, Z., Cao, R., Tang, Q., Nie, S., Huang, J., Wu, S.: Order matters: Semantic- aware neural networks for binary code similarity detection. In: Proceedings of the AAAI Conference on Artiﬁcial Intelligence, vol. 34, pp. 1145–1152 (2020)

2020
[13]

Douze, M., Guzhva, A., Deng, C., Johnson, J., Szilvasy, G., Mazaré, P.-E., Lomeli, M., Hosseini, L., Jégou, H.: The faiss library (2024) arXiv:2401.08281 [cs.LG]

work page internal anchor Pith review arXiv 2024
[14]

Cambridge University Press, USA (2014)

Leskovec, J., Rajaraman, A., Ullman, J.D.: Mining of Massive Datasets, 2nd edn. Cambridge University Press, USA (2014)

2014
[15]

https://github.com/NationalSecurityAgency/ ghidra

National Security Agency: Ghidra. https://github.com/NationalSecurityAgency/ ghidra. Software reverse engineering suite (2019)

2019
[16]

https://github.com/ollama/ollama

Ollama: Ollama. https://github.com/ollama/ollama. Accessed: 2025-11-01 (2025)

2025
[17]

vx-underground: MalwareSourceCode: Collection of malware source code. GitHub. Accessed: 2025-10-01 (2025). https://github.com/vxunderground/ MalwareSourceCode

2025
[18]

Judging LLM-as-a-Judge with MT-Bench and Chatbot Arena

Zheng, L., Chiang, W.-L., Sheng, Y., Zhuang, S., Wu, Z., Zhuang, Y., Lin, Z., Li, Z., Li, D., Xing, E.P., Zhang, H., Gonzalez, J.E., Stoica, I.: Judging LLM-as- a-judge with MT-bench and chatbot arena. In: Advances in Neural Information Processing Systems 36 (NeurIPS 2023), Datasets and Benchmarks Track (2023). https://arxiv.org/abs/2306.05685

work page internal anchor Pith review arXiv 2023
[19]

In: Guyon, I., Luxburg, U.V., Bengio, S., Wallach, H., Fergus, R., Vishwanathan, S., Garnett, R

Lundberg, S.M., Lee, S.-I.: A uniﬁed approach to interpreting model pre- dictions. In: Guyon, I., Luxburg, U.V., Bengio, S., Wallach, H., Fergus, R., Vishwanathan, S., Garnett, R. (eds.) Advances in Neural Information Processing 31 Systems 30 (NIPS 2017), pp. 4765–4774. Curran Associates, Inc., ??? (2017). https://proceedings.neurips.cc/paper/2017/hash/8a...

2017
[20]

R., Cogswell, M., Das, A., Vedantam, R., Parikh, D., and Batra, D

Selvaraju, R.R., Cogswell, M., Das, A., Vedantam, R., Parikh, D., Batra, D.: Grad-CAM: Visual explanations from deep networks via gradient-based localiza- tion. In: Proceedings of the IEEE International Conference on Computer Vision (ICCV), pp. 618–626 (2017). https://doi.org/10.1109/ICCV.2017.74

work page doi:10.1109/iccv.2017.74 2017
[21]

In: 2019 Ieee Symposium on Security and Privacy (sp), pp

Ding, S.H., Fung, B.C., Charland, P.: Asm2vec: Boosting static representation robustness for binary clone search against code obfuscation and compiler opti- mization. In: 2019 Ieee Symposium on Security and Privacy (sp), pp. 472–489 (2019). IEEE

2019
[22]

arXiv preprint arXiv:2311.13721 (2023)

Jiang, N., Wang, C., Liu, K., Xu, X., Tan, L., Zhang, X., Babkin, P.: Nova: Generative language models for assembly code with hierarchical attention and contrastive learning. arXiv preprint arXiv:2311.13721 (2023)

work page arXiv 2023
[23]

In: Sako, K., Schneider, S., Ryan, P.Y.A

Alrabaee, S., Karbab, E.B., Wang, L., Debbabi, M.: Bineye: Towards eﬃcient binary authorship characterization using deepălearning. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) Computer Security – ESORICS 2019, pp. 47–67. Springer, Cham (2019)

2019
[24]

Digital Investiga- tion 24, 48–59 (2018) https://doi.org/10.1016/j.diin.2018.01.007

Karbab, E.B., Debbabi, M., Derhab, A., Mouheb, D.: Maldozer: Automatic framework for android malware detection using deep learning. Digital Investiga- tion 24, 48–59 (2018) https://doi.org/10.1016/j.diin.2018.01.007

work page doi:10.1016/j.diin.2018.01.007 2018
[25]

In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N

Karbab, E.B., Debbabi, M.: Petadroid: Adaptive android malware detection using deep learning. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds.) Detection of Intrusions and Malware, and Vulnerability Assessment, pp. 319–340. Springer, Cham (2021)

2021
[26]

Digital Investigation 28, 77–87 (2019) https://doi.org/10

Karbab, E.B., Debbabi, M.: Maldy: Portable, data-driven malware detection using natural language processing and machine learning techniques on behav- ioralăanalysis reports. Digital Investigation 28, 77–87 (2019) https://doi.org/10. 1016/j.diin.2019.01.017

2019
[27]

ArXiv abs/2507.02424 (2025)

Blefari, F., Cosentino, C., Pironti, F.A., Furfaro, A., Marozzo, F.: Cyber- rag: An agentic rag cyber attack classiﬁcation and reporting tool. ArXiv abs/2507.02424 (2025)

work page arXiv 2025
[28]

Karbab, E.B., Debbabi, M., Derhab, A., Mouheb, D.: Android Malware Detection Using Machine Learning: Data-driven Fingerprinting and Threat Intelligence vol
[29]

Springer, ??? (2021)

2021
[30]

CoRR abs/1712.08996 (2017) 1712.08996

Karbab, E.B., Debbabi, M., Derhab, A., Mouheb, D.: Android malware detection using deep learning on API method sequences. CoRR abs/1712.08996 (2017) 32 1712.08996

work page arXiv 2017
[31]

In: Proceedings of the 32nd Annual Conference on Computer Security Applications

Karbab, E.B., Debbabi, M., Derhab, A., Mouheb, D.: Cypider: building community-based cyber-defense infrastructure for android malware detec- tion. In: Proceedings of the 32nd Annual Conference on Computer Security Applications. ACSAC ’16, pp. 348–362. Association for Computing Machin- ery, New York, NY, USA (2016). https://doi.org/10.1145/2991079.2991124 ...

work page doi:10.1145/2991079.2991124 2016
[32]

Digital Investigation 18, 33–45 (2016) https://doi.org/10.1016/j.diin.2016.04.013

Karbab, E.B., Debbabi, M., Mouheb, D.: Fingerprinting android packaging: Generating dnas for malware detection. Digital Investigation 18, 33–45 (2016) https://doi.org/10.1016/j.diin.2016.04.013

work page doi:10.1016/j.diin.2016.04.013 2016
[33]

Technical report, Paciﬁc Northwest National Laboratory (PNNL), Richland, W A (United States) (2024)

Rahman, M., Piryani, K.O., Sanchez, A.M., Munikoti, S., De La Torre, L., Levin, M.S., Akbar, M., Hossain, M., Hasan, M., Halappanavar, M.: Retrieval aug- mented generation for robust cyber defense. Technical report, Paciﬁc Northwest National Laboratory (PNNL), Richland, W A (United States) (2024)

2024
[34]

In: ESORICS Workshops (2024)

Rajapaksha, S., Rani, R., Karaﬁli, E.: A rag-based question-answering solution for cyber-attack investigation and attribution. In: ESORICS Workshops (2024). https://api.semanticscholar.org/CorpusId:271855012 33

2024