Automated Malware Analysis with Language Explanation for Consumers
Amplec is a project which answered the basic question: “How can we make malware analysis results more accessible and more efficiently digestible for analysts and, by extension, for consumers?”. The project was my bachelor thesis and was supervised by Prof. Dr. Roland Hellmann from the University of Aalen. I received a grade of 1.1 (A+) for the thesis and the project.
The project was a collaboration with the Threat Intelligence team of the Deutsche Telekom Security GmbH.
To the GitHub repositoryFeatures #
-
Automated Interpretation: Uses LLM to interpret and explain malware analysis results in natural language.
-
User Interaction via Prompts: Provides predefined prompts for users to select relevant interpretations quickly.
-
Dynamic Data Handling: Manages evolving data from malware analysis, adapting to new threats and pipeline changes.
-
System Integration: Integrates with existing systems via APIs using Python and Flask.
-
Optional Advanced Features:
- Retrieval Augmented Generation (RAG): Adds context from external data sources.
- Function Calling: Allows the LLM to trigger further analysis tasks.
- Open Prompting: Users can create custom prompts for more flexibility.
Implementation Overview #
-
Architecture:
- Three main components: the Karton malware analysis system, the LLM, and a web interface/API.
- The LLM interprets analysis results and communicates with the web interface.
-
System Connections: Uses APIs for component communication, implemented in Python.
-
LLM Implementation:
- Selects and configures a local LLM model.
- Utilizes Langchain for integrating actions and potential RAG extension.