Dr. Ahmed El Sayed
Dr. Ahmed El Sayed

Cybersecurity Expert

Cybercrime Expert

Fraud Investigation Expert

Financial Crime Expert

Digital Forensics Expert

Open-source intelligence Expert

Data scientist

Instructor & Lecturer

Dr. Ahmed El Sayed
Dr. Ahmed El Sayed

Cybersecurity Expert

Cybercrime Expert

Fraud Investigation Expert

Financial Crime Expert

Digital Forensics Expert

Open-source intelligence Expert

Data scientist

Instructor & Lecturer

Download CV Contact Me
Blog Post

ChatGPT for Malware Analysis: Enhancing GPT’s Ability to Guide Malware Analyst

November 15, 2023 Artificial intelligence by Dr. Ahmed El Sayed
ChatGPT for Malware Analysis: Enhancing GPT’s Ability to Guide Malware Analyst

GPT excels in verbal thinking, skillfully choosing precise words for optimal responses. Understanding this key property is crucial, as much of its subsequent behavior stems from this ability.

This AI model taps into an extensive cheat sheet; any historical answer in its training data can be reproduced with strange accuracy.

Cybersecurity researchers at CheckPoint recently affirmed that security analysts could use ChatGPT for malware analysis by enhancing the GPT’s ability.

ChatGPT for Malware Analysis

GPT may not recall answers that seem expected on its cheat sheet. For instance, in a malware analysis context, GPT struggled when a Google Scholar search failed to yield proof on the first page. 

Speculating and completing a sentence about the search results led to a natural response failure.GPT excels in summarizing large inputs, showcasing its grammar understanding, and prioritizing key facts. Trustworthy in filtering the big picture, like summarizing extensive malware-related API call logs.

Here’s what GPT presented when asked to summarize the log:-

Malware-related API call log summary (Source – Checkpoint)
Malware-related API call log summary (Source – Checkpoint)

The sentence completion power of GPT enables remarkable logical reasoning, but caution is needed. Overloading it with complex and verbose conditions can lead to misunderstandings and forgotten requirements.

Applying GPT to malware analysis reveals oddly human-like challenges. Check Point said examples abound as GPT grapples with tasks categorized into broader challenges.

Principal Obstacles

Here below, we have mentioned all the 6 general principal obstacles:-

  • Memory Window Drift: GPT breaks texts into tokens with a fixed window size. This limits large inputs, especially as the window moves beyond the initial conversation instructions. Then, it relies on second-hand task descriptions, losing information once it’s out of the window, and this stumbling block is a common challenge, even with API call logs.
  • Gap between Knowledge and Action: Feynman criticized memorization without understanding, a sentiment echoed in GPT challenges for malware analysis. Completing sentences isn’t enough; attention to knowledge integration is crucial. Problem-solving involves implicit questions, and accidentally hindering this process is a hurdle. Self-awareness acts as a failsafe, revealing gaps between knowledge and action, leading to other difficulties in GPT’s application.
  • Logical Reasoning Ceiling: In applying GPT to malware analysis, researchers discovered challenges in managing its logical reasoning capacity. Overcoming issues, three best practices emerged:- 
  • Preferring lists over demanding a single ‘right answer’ 
  • Using terse instructions
  • Recognizing GPT’s varying capabilities in logical reasoning
  • Detachment from Expertise: GPT’s implicit web-weaving via sentence completion is powerful, but output quality may suffer if reason alone is forced. While basic characterizations are accurate in malware analysis, expert insights emphasize context, API call order, anti-analysis techniques, and tailored search strategies, challenging common wisdom and optimizing outcomes.
  • Goal Orientation: In tests, GPT often provided theoretically perfect but impractical advice, ignoring practical constraints. Triage tasks saw model recommendations emphasizing theoretical correctness over efficient solutions. GPT’s potential falls short when induced to focus solely on immediate input, hindering its ability to mimic the subtle work of a malware analyst.
  • Spatial Blindness: GPT demonstrated its distinct nature in malware analysis testing. Notably, its dependence on precisely configured prompts for effective Google searches revealed its unique behavior. In tasks like GandCrab, GPT struggled with poorly engineered prompts, requiring adjustments to induce a proper understanding.

Despite appearing trivial, these steps simulate a beginner analyst’s 3-day experience. The effort is necessary to guide GPT past potential obstacles in task processing.

Besides the focus on challenges, don’t overlook GPT’s main advantage:- 

“It operates faster and more cost-effectively than a human analyst.” 

Before embracing automation, ensuring GPT matches a newbie analyst in basic tasks is essential for future advancements.

Taggs:
Verified by MonsterInsights