SaBER-LLMs: Security-aware behavior embedding representation via large language models for fine-grained malware analysis

Large language model (LLM) for software security: Code analysis, malware analysis, reverse engineering

Accelerating volatile memory forensics for bare-metal malware analysis with FPGA devices

ABSTRACT Deep learning has become foundational in modern cybersecurity solutions, particularly, in intrusion detection, malware analysis, and anomaly detection. However, its effectiveness is often constrained by the challenges of high‐dimensional feature spaces and complex hyperparameter settings. In recent years, nature‐inspired optimization techniques—such as genetic algorithms, particle swarm optimization, ant colony optimization, firefly algorithm, and differential evolution—have been increasingly explored to overcome these limitations. These algorithms offer global search capabilities, flexibility, and robustness, making them well‐suited for optimizing deep learning systems in adversarial and dynamic cyber environments. This article presents a comprehensive review of peer‐reviewed literature published between 2020 and 2024, focusing on integrating nature‐inspired optimization techniques into deep learning for cybersecurity. The review is structured around two core optimization dimensions: (i) feature selection and (ii) hyperparameter tuning. For each, we critically evaluate representative methods, discuss empirical findings across multiple application domains (e.g., IoT, ICS, Android), and highlight how these algorithms address key performance bottlenecks. This review aims to guide researchers in developing robust and adaptive deep learning models for security‐critical applications by synthesizing trends, identifying gaps, and outlining design principles. This article is categorized under: Commercial, Legal, and Ethical Issues > Security and Privacy Technologies > Machine Learning Technologies > Artificial Intelligence

The rapid growth and increasing sophistication of malware pose significant threats to modern cybersecurity systems, where traditional signature-based and static analysis techniques often fail to detect evolving and zero-day attacks. This study proposes an interactive malware analysis framework leveraging a RoBERTabased SecureBERT model to perform accurate and real-time classification of malware-related text. Diverse benchmark datasets are collected and transformed into textual representations, followed by data preprocessing, finetuning, hyperparameter tuning, data balancing, and augmentation strategies to address class imbalance and improve generalization. Additionally, synthetic data generation is incorporated to enhance the detection of rare and emerging malware patterns. The SecureBERT model is fine-tuned using Low-Rank Adaptation (LoRA), enabling efficient training with reduced computational overhead while maintaining high performance. The system integrates an interactive interface that allows real-time user input and classification, improving practical usability. Experimental results demonstrate a strong performance, achieving overall accuracy of 95.33% with high precision, recall, and F1-scores across multiple malware categories. Evaluation through confusion matrices, ROC curves, and precision-recall analysis further validates robustness of the approach. Despite its effectiveness, the model shows limitations in handling highly obfuscated real-world malware due to its reliance on textual features. The proposed framework offers a scalable, adaptive, and efficient solution for malware classification, advancing intelligent cybersecurity system.

ABSTRACT Computers interact with other systems, often with the support of fast and readily available internet services. But, during communications via computer, security is the primary concern. The malware is a threat that mostly affects computerized devices. Malware identification is a complex issue present in the internet of things (IoT) sector. Implementing a cost‐effective malware protection model to recognize high‐scale malware is significant. Conventional approaches for malware identification suffer from data loss or high‐dimensional feature sets. To combat these difficulties, this work presents a new technique for automatic malware identification by utilizing deep learning. The proposed model introduces an automatic malware detection framework under the Windows platform. At first, the application programming interfaces (API) call sequence data is collected from the available data resource. Further, the temporal features, spatial features, and statistical features are extracted from the input data that become useful information for malware samples. Then, the three sets of extracted features are subjected to the multi‐scale feature fusion‐based 1dimensional convolutional neural network (1DCNN) with a gated recurrent unit (MFF‐1DCGRU) to identify malware detection. An extensive experiment evaluates the proposed automated malware detection approach using two dataset namely malware analysis datasets: API call sequences and API‐call‐sequences. On the malware analysis datasets: API call sequences dataset, the developed model achieved an accuracy of 96.30%. Similarly, when considering the API‐call‐sequences dataset, it outperformed baseline models by achieving improvements of 7.4% over the autoencoder, 5.4% over Bi‐LSTM, 3.2% over 1DCNN, and 1.1% over GRU, respectively. Hence, the research outcome revealed that the recommended method performs better in the automatic recognition of malware in the computer system.

This project proposes a web-based automated malware analysis system designed to identify adversarial behaviors using the MITRE ATT&CK framework. The system allows users to upload suspicious malware samples through a secure web interface, which are then executed in an isolated and sandboxed Windows environment to prevent host compromise. During execution, Windows event logs and enhanced telemetry data are collected to capture detailed runtime behavior, including process creation, command execution, file and registry modifications, and network activity. These logs are processed and transformed into structured behavioral features that represent the actions performed by the malware. A machine learning–based multi-label classification approach using a binary relevance model is employed to map the extracted features to corresponding MITRE ATT&CK techniques. Independent Extreme Gradient Boosting (XGBoost) models are trained to detect the presence of individual attack techniques, enabling the identification of multiple techniques from a single malware execution. In addition, the system extracts relevant Indicators of Compromise (IOCs) such as malicious file paths, process names, and network endpoints. The proposed framework enables automated, explainable malware behavior classification and provides a systematic method for classifying malware activities based on standardized adversary techniques.

Backdoor malware represents one of the most critical threats in the Android ecosystem due to its capability to enable covert remote access, escalate privileges, and exfiltrate sensitive data without user awareness. Although the CCCS-CIC-AndMal-2020 dataset is publicly available, prior studies have not specifically formulated Backdoor detection as a binary classification problem under extreme class imbalance, nor systematically evaluated the impact of oversampling and cost-sensitive weighting using imbalance-aware performance metrics. This study proposes a comprehensive detection pipeline that integrates ensemble learning, class imbalance handling strategies, and explainability-based analysis to extract behavioral signatures of Backdoor malware. A two-stage feature selection process is employed to reduce the original 9,502-dimensional feature space to 500 informative features. Subsequently, five classification algorithms are evaluated under three imbalance-handling scenarios using a composite ranking criterion based on F1-score, Area Under the Receiver Operating Characteristic Curve (AUC), Geometric Mean (G-Mean), and Matthews Correlation Coefficient (MCC). The experimental results demonstrate that the Random Forest model combined with Synthetic Minority Oversampling Technique (SMOTE) achieves the best performance, with an F1-score of 0.9043, AUC of 0.9909, G-Mean of 0.9422, and MCC of 0.8948. Furthermore, SHAP analysis identifies 39 Android permissions related to account access, covert communication, and privilege escalation as key behavioral signatures, with the permissions feature group contributing 2.31 times higher discriminative importance than nonpermission features. These findings indicate that interpretable ensemble learning not only improves detection performance but also provides actionable insights for static malware analysis.

Abstract Malware family classification is crucial for threat detection, yet existing methods struggle with generalization, multi-task adaptability, and interpretability. We propose VIMAR, a unified vision–language model that supports classification, similarity detection, and open-world analysis via explanation-rich supervision and a two-stage training pipeline. On the Malimg dataset, VIMAR achieves 94.2% accuracy in family classification, surpassing the best CNN baseline by +3.1%. It also attains 85.2% and 88.0% accuracy in zero-shot and few-shot settings, significantly outperforming vision–language baselines. Moreover, its reasoning outputs align well with human judgments. The codebase and scripts will be released to the community.

As the use of cloud-based collaboration platforms intensifies, securing file storage, controlled access, and their inability to be tampered with needs to be considered one of the key issues. The paper offers the architecture of a multi-organization file sharing system developed with the help of React to improve the front-end, AWS Cloud Services to support the backend with scalability, Hybrid Cryptography (AES-128-GCM + RSA) to ensure the data confidentiality, and the use of Blockchain to provide the immutability of audit. The system allows the users to upload, store, share, and access files in a safe manner and they are part of various organizations. AWS Cognito is used to perform authentication and managing identities and AWS S3 offers an encrypted storage with isolation configuration per user. Malware analysis of files is performed with AWS Lambda which is connected to ClamAV before storage. AES-128-GCM is used to provide effective symmetric encryption and integrity-checking, but RSA is used to provide effective transfer of keys and controlled decryption. The blockchain is embedded to keep the logs of the key events like the login, upload, and file sharing ones tamper-proof. Compared to other existing solutions, the proposed solution has better security measures, fine-crying access control, malware management, and trusted audit trails, and this renders it appropriate in collaboration settings within an enterprise.

In this paper, we focus on the robustness of behavior-based malware analysis models, justified by the need to address the high mutation rates of malware executables that debilitate conventional signature-based approaches and even behavior-based AI solutions. In response to these challenges, we propose MAMBA + , an obfuscation-resistant dynamic analysis approach tailored for uncovering malware behavior. We have assembled a comprehensive collection of behavioral obfuscation attacks designed to undermine behavior-based models. The central concept behind MAMBA + involves treating obfuscated calls as perturbed data and introducing a novel loss function to effectively balance ground-truth predictions and the handling of these perturbations. To facilitate this approach, MAMBA + designs adapted embedding mechanisms to transform traces of API calls into high-dimensional vectors for attention calculations. Through a comprehensive empirical study with seven obfuscations and three unseen attacks, we reveal important qualitative properties of MAMBA + , and quantitatively demonstrate its superiority in performance and robustness to all compared methods.

Malware represents the most critical threat in cybersecurity, meant to compromise the security for any individual or any organization. These are covert software, designed to perform malicious act like data theft, data alteration, and to interrupt a normal operation of the services. The persistent evolution of malware has called for more sophisticated techniques in its detection and prevention, resulted into direct need of Artificial Intelligence in cybersecurity. Artificial intelligence, using machine learning techniques and rising concepts like neural networks has greatly improved the traditional static and dynamic ways of detecting malware. Advances in AI-driven solutions have made them much more capable than their predecessors of detecting malware and addressing threats in real time. By training machine learning models on vast quantities of data, malicious patterns can easily be detected and identify patterns. With these emerging challenges, AI powers automated real-time analysis and adaptive security posture can effectively mitigate the threat. Large Language Models (LLMs) have revolutionized natural language processing and are increasingly being deployed across a wide range of applications, including text generation, summarization, translation, and detection systems. Recent research related to the methodologies employed in developing detection systems using LLMs, outlines the existing limitations and research gaps, and proposes potential areas for future investigation. The use of AI in malware analysis faces its own challenges with the potential for adversarial attacks and the scale of AI models that can muddy the waters of transparency and trust. Overcoming these challenges will involve the creation of mature, ethical, AI systems and an open dialogue between cybersecurity professionals, sustainable AI development and regulatory compliance all working in concert.

Binary reverse engineering is pivotal in the realm of cybersecurity, enabling critical applications such as malware analysis, legacy code hardening, and vulnerability detection. However, the challenge of recovering structural information from binaries, especially stripped ones, persists due to the significant loss of variable boundaries, types, names, and dataflow information during compilation. In this article, we introduce Hy brid RE asoning for S tructure Recovery ( HyRES ), an innovative hybrid reasoning technique that energizes static analysis, Large Language Model (LLM), and heuristic methods to recover data structures from stripped binaries. It analyzes the structure layout and proficiently infer its semantics via LLM, and utilizes semantics to perform semantic-enhanced structure aggregation, which overcomes the need for complete dataflow. HyRES outperforms State-of-the-Art (SOTA) solutions in terms of structure pointer identification and layout recovery. Specifically, HyRES achieves 65.1% higher recall and 33.4% higher accuracy than the SOTA, while also being 64.2% faster than existing SOTA solutions. Comprehensive experiments demonstrate HyRES ’s superior performance and practical utility in real-world reverse engineering tasks, marking a significant advancement in binary analysis.

Cybersecurity has seen a notable increase in intricate threats including ransomware, insider threats, polymorphic malware, and data breaches. Conventional signaturebased antivirus programs struggle to identify these new threats because they depend on familiar patterns and cannot evaluate unknown behaviors. To overcome these constraints, this paper introduces SmartGuard, a real-time behavior analysis system crafted to identify harmful file activities by observing system-level interactions, user behavior, and process irregularities. SmartGuard employs homomorphic encryption for secure file analysis, anomaly detection based on rules, malware scanning via YARA and ClamAV, cloud-enabled audit logging, USB activity tracking, and webcam-enabled forensic evidence gathering. The modular design of the system improves early threat identification, guarantees data privacy, and facilitates secure file transfers with OTPbased authentication. Experimental findings indicate that SmartGuard shortens detection time, boosts behavioral detection precision, and improves forensic visibility relative to conventional antivirus systems. SmartGuard's uniqueness stems from its hybrid strategy—merging real-time behavioral analytics, privacy-focused encryption, USB forensics, and cloudconnected monitoring—resulting in a scalable and all-encompassing solution for enterprise cybersecurity. Keywords: Real-time behavioral analysis, malicious file activity detection, ransomware detection, insider threat monitoring, homomorphic encryption, privacy-preserving malware analysis, YARA rules.

Cybersecurity education requires practical activities such as malware analysis, phishing detection, and Capture the Flag (CTF) challenges. These exercises enable students to actively apply theoretical concepts in realistic scenarios, fostering experiential learning. This article introduces an innovative pedagogical approach relying on gamification in cybersecurity courses, combining technical problem-solving with human factors such as social engineering and risk-taking behavior. By integrating interactive challenges into the courses, engagement and motivation have been enhanced, while addressing both technological and managerial dimensions of cybersecurity. Observations from course implementation indicate that students demonstrate higher involvement when participating in supervised offensive security tasks and social engineering simulations within controlled environments. These findings highlight the potential of gamified strategies to strengthen cybersecurity competencies and promote ethical awareness, paving the way for future research on long-term cybersecurity learning outcomes.

The increasing sophistication and scale of cyber threats have made the application of artificial intelligence (AI) to cybersecurity indispensable. This paper discusses how AI can address these challenges by highlighting emerging trends and key developments in the field. It begins by explaining how AI enhances cybersecurity through its fundamental mechanisms: machine learning (ML), deep learning (DL), and natural language processing (NLP). The paper then examines practical applications of AI-powered solutions, including intrusion detection systems, malware analysis, and vulnerability assessment, as well as their contributions to strengthening cybersecurity defences. A substantial portion of the paper focuses on current and emerging trends, including explainable AI (XAI), adversarial ML, and the use of AI in securing the Internet of Things (IoT). It further explores other innovations in the security domain, such as autonomous security operation centres (ASOCs), AI-driven threat intelligence platforms, and the potential impact of quantum computing on the future of cybersecurity. In addition, the paper considers key challenges and ethical issues in integrating AI into cybersecurity, such as privacy concerns, biases in AI systems, and the risks of AI-enabled cyberattacks. The core problem statement lies in developing AI systems capable of countering escalating cyber threats while adhering to ethical principles to minimize unintended consequences. The study draws upon an extensive review of literature, case studies, and expert analyses. It aims to identify gaps in existing research and suggest directions for future work. Finally, the paper discusses possible avenues for future research and practical implications for cybersecurity professionals, with the goal of shaping the next generation of AI-driven cybersecurity solutions. Ultimately, this paper seeks to provide comprehensive insights into the evolving role of AI in safeguarding against cyber threats, serving researchers, cybersecurity practitioners, and policymakers alike.

Packing presents a major challenge in cybersecurity, as it complicates malware analysis and extends the operational lifespan of malicious software. This study addresses the issue by developing a robust framework designed to detect packed executable files and identify the specific packers used. The proposed framework leverages 20 optimally selected features extracted from Portable Executable (PE) files to detect packing and recognize packer signatures. A series of extensive experiments was conducted to determine the most effective combination of classification model and feature set. The extreme gradient boost algorithm was selected based on its superior performance. The proposed model achieved a high detection accuracy of 99.27% and an F1-score of 98.84%, outperforming recent methods in the field. In addition, the study introduces a publicly accessible dataset containing 213,784 PE samples and 125 features to facilitate future research. The framework provides a practical tool for security analysts, improving their ability to identify and respond to PE file-based malware in real-world environments. This study focuses exclusively on a static analysis pipeline; no dynamic execution is performed. We also describe how the framework could interface with sandbox-derived dynamic behavioral signals in future work without extending the current study’s scope. Overall, this research contributes a static feature-based approach for packer detection and signature identification, together with a large-scale open dataset that supports ongoing advances in malware classification and analysis.

One of the significant security risks on the Internet today is malware, and implementing effective defensive measures necessitates the quick analysis of an ever-growing volume of malware samples. The analysis is made more difficult by the growth of metamorphic malware because signature-based static analysis tools are no longer as effective. While dynamic malware analysis is a viable option, the strategy faces considerable difficulties due to the strain that the ever-increasing volume of samples that need to be analyzed places on hardware resources. In addition, modern malware is capable of both detecting the monitoring environment and hiding in parts of the system that are not being watched.

The rapid growth of digital data, cloud computing, and social media platforms has led to a significant increase in cyber threats, making information security a major global challenge. Traditional security methods often fail to detect complex, dynamic, and large-scale cyber -attacks in real time. In this context, Artificial Intelligence (AI) has emerged as a transformative approach to enhancing information security systems by enabling intelligent, automated, and more adaptive defense systems. This paper examines how AI is used in information security, specifically focusing on its ability to improve threat detection, malware analysis, and data protection. AI technologies such as machine learning, deep learning, and data mining, are highly effective at identifying patterns, and spotting unusual activities. Unlike old rule-based methods, AI can predict potential security breaches with higher accuracy and speed, providing a more robust shield against hackers. However, using AI security also brings certain challenges. These include concerns regarding data privacy concerns, lack of transparency in in how AI makes decisions, and the risk of criminal using AI for more advanced attacks. Furthermore, the high cost of the technology and ethical questions about automated surveillance are significant obstacles. The conclusion of this paper is that, although AI has the potential to transform cybersecurity, greater emphasis must be placed on developing more transparent and ethical AI models.These technical and regulatory challenges must be addressed to create a secure and trustworthy digital future.

Artificial Intelligence (AI) is radically reshaping cybersecurity by enabling data-driven threat analysis and response capabilities that far surpass traditional, signature-based methods. Machine learning and deep learning techniques now allow systems to sift through massive security logs and network data automatically, detecting attacks in real time and at scale. This review surveys how AI methods are integrated across security tools – from automated intrusion detection and malware analysis to advanced threat intelligence platforms. We highlight recent advances (such as deep neural networks for pattern recognition, reinforcement learning for adaptive defenses, and explainable AI for transparent alerts) and summarize how AI models are evaluated (accuracy, false-positive rate, detection latency, etc.). We also discuss representative deployments of AI in practice, compare recent research developments, and address current challenges (including adversarial attacks on models, data bias, and interpretability issues). Finally, we outline promising directions like federated learning for collaborative defense and robust AI governance. In conclusion, AI offers a transformative toolkit for proactive security, but realizing its full potential requires ongoing innovation and careful oversight.