Multi-View Decompilation for LLM-Based Malware Classification
- company Hugging Face
- lab arXivLabs
- location arXiv
- person Bercan Turkmen Efe
- product DagsHub
- product Ghidra
- product Gotit.pub
- product RetDec
A new study proposes feeding large language models two decompiler views of the same binary, rather than one, to improve malware classification without retraining. The approach, detailed in a paper by Bercan Turkmen Efe, uses Ghidra and RetDec to generate complementary pseudo-C outputs that together raise malicious-sample recall [1][2]. Malware analysts routinely inspect compiled binaries through decompiled pseudo-C when source code is unavailable. Recent work has shown that large language models can assist this process by classifying decompiled code as benign or malicious, but existing pipelines typically rely on a single decompiler view [1][2]. The new research argues that this assumption is fragile because decompilers are lossy heuristic tools, and different decompilers can expose different artefacts of the same binary [2]. The researchers curated a benchmark of benign utilities and malicious programs spanning a range of threat behaviors. Each sample was compiled and then decompiled with both Ghidra, an open-source reverse-engineering framework developed by the National Security Agency, and RetDec, a retargetable decompiler [2]. This process yielded matched pseudo-C views for every binary. Across a range of large language models from major model families, providing both decompiler views improved malicious-class F1, mainly by increasing recall on malicious samples [1][2]. Agreement analyses further showed that Ghidra and RetDec make partially different errors, supporting the view that decompiler outputs provide complementary evidence [2]. The authors describe multi-decompiler prompting as a simple, training-free way to improve LLM-based malware triage in practical settings [1][2]. Large language models are machine learning models with many parameters, trained with self-supervised learning on vast amounts of text for natural language processing tasks such as language generation [7]. Their application to cybersecurity workflows has expanded as models have grown more capable. The paper’s findings arrive amid broader industry attention on cost-efficient model deployment. Chinese firm DeepSeek, for instance, reported training its V3 model for roughly US$6 million, a fraction of the estimated US$100 million cost for OpenAI’s GPT-4 in 2023 [6]. The study appears on arXiv, the preprint repository that has integrated with Hugging Face Spaces to allow researchers to attach interactive demos to their papers [3][4]. Through that integration, users can navigate to a paper’s Demo tab on its arXiv abstract page and try open-source demos built by the community without writing any code [5]. The multi-view decompilation paper does not yet list a linked demo, but the infrastructure exists for authors or the community to add one later [5]. The work was submitted to arXiv on June 18, 2026, by Bercan Turkmen Efe [1]. No external funding or institutional affiliation was disclosed in the preprint.
research-paperbenchmark
Background sources we checked (7)
- arxiv.org ↗ Malware analysts often inspect compiled binaries through decompiled pseudo-C, when source code is unavailable. Recent work suggests that large language models (LLMs) can assist this process by classifying decompiled code as benign or malicious, but existing pipelines typically re…
- huggingface.co ↗ Hugging Face Machine Learning Demos on arXiv Back to Articles ... # Hugging Face Machine Learning Demos on arXiv Published November 17, 2022 Update on GitHub Upvote 1 - - - - - Abubakar Abid abidlabs Follow …
- info.arxiv.org ↗ ## Hugging Face Spaces ... Hugging Face code repositories, About Hugging Face ... Collaborators: Abubakar Abid, Omar Sanseviero, Ahsen Khaliq, and the Hugging Face team ... Hugging Face Spaces includes links to demos created by the community or the authors themselves. By going to…
- huggingface.co ↗ Demos on Hugging Face Spaces allow a wide audience to try out state-of-the-art machine learning research without writing any code. Hugging Face and ArXiv have collaborated to embed these demos directly along side papers on ArXiv! ... Thanks to this integration, users can now find…
- en.wikipedia.org ↗ Hangzhou DeepSeek Artificial Intelligence Basic Technology Research Co., Ltd., doing business as DeepSeek, is a Chinese artificial intelligence (AI) company that develops large language models (LLMs). Based in Hangzhou, Zhejiang, DeepSeek is owned and funded by High-Flyer, a Chin…
- en.wikipedia.org ↗ A large language model (LLM) is a type of machine learning model designed for natural language processing tasks such as language generation. LLMs are language models with many parameters, and are trained with self-supervised learning on a vast amount of text.…
- en.wikipedia.org ↗ Douwe Kiela is a Dutch-American research scientist and entrepreneur working in the field of artificial intelligence with a focus on machine learning and natural language processing. He is a research scientist director at Google DeepMind. He previously co-founded and served as CEO…
Sources
- export.arxiv.org — Multi-View Decompilation for LLM-Based Malware Classification ↗