ChatDEOB: An Effective Deobfuscation Method Based on Large Language Model

ChatDEOB: An Effective Deobfuscation Method Based on Large Language Model

연구 분야: Analysis

학회: International Conference on Information Security Applications

Obfuscation is a method that safeguards intellectual property rights against malicious analysts by altering the structure, logic, and other aspects of a program. However, malicious developers utilize obfuscation methods in their malware to avoid detection and analysis. To deobfuscate malware, analysts leverage their analysis skills alongside deobfuscation methodology. Although obfuscation is widely used in malware, heuristic-based deobfuscation methodology has limitations, including reliance on specific obfuscation tools and inefficiency in large-scale processing. In this paper, we propose ChatDEOB, an effective deobfuscation method that utilizes a Large Language Model (LLM). We focus on the LLM’s application in various software engineering areas, such as code analysis, generation, and fuzzing, and employ it in our deobfuscation method. To effectively deobfuscate, we fine-tune the LLM model in detail and implement ChatDEOB using well-designed prompt engineering methods. To the best of our knowledge, ChatDEOB is the first method to deobfuscate code using a fine-tuned LLM model. To demonstrate the effectiveness of ChatDEOB, we utilize SacreBLEU, a published obfuscation evaluation method, along with the Obfuscation Quality Quantification Framework. The experiment resulted in the SacreBLEU score increasing from an initial average of 22.71 to 49.12, achieving a 116.27% improvement and demonstrating significant effectiveness. Additionally, when measuring the six evaluation indicators of the Obfuscation Quality Quantification Framework, the deobfuscation effect shows an average improvement of 85% compared to the obfuscated code.