Malaika: Understanding Malware through Tri-Grounded Agentic Reasoning

πŸ“… 2026-07-10
πŸ“ˆ Citations: 0
✨ Influential: 0
πŸ“„ PDF
πŸ€– AI Summary
This work addresses the challenge of detecting Android malware that is sparse and interwoven with benign code in partially observable environments. It proposes a triply grounded (domain-, semantics-, and knowledge-grounded) reasoning paradigm that formulates malware understanding as an auditable behavior reconstruction problem. Leveraging a multi-agent architecture, the approach synergistically integrates behavior hypothesis generation, tool-augmented evidence localization, retrieval-based threat attribution, and analyst-inspired heuristic reasoning. This study is the first to systematically incorporate auditability and behavior-level conclusion reliability into large language model–driven malware analysis. Experimental results demonstrate significant performance gains over existing LLM-based frameworks, and ablation studies confirm that the triply grounded mechanism plays a pivotal role in enhancing both the accuracy and interpretability of analytical conclusions.
πŸ“ Abstract
Recent LLM-based systems have shown promising capabilities for security-focused code analysis. Malware understanding, however, poses a distinct challenge: analysts must reconstruct high-level malicious behaviors under partial observability from sparse, dispersed evidence intertwined with benign functionality. While static analysis can expose security-relevant signals, the central challenge is not merely identifying suspicious code, but determining whether the evidence sufficiently supports an auditable behavior-level conclusion. We formulate malware understanding as a grounded reasoning problem and argue that reliable behavior reconstruction requires three complementary forms of grounding. Domain grounding constrains how behavior hypotheses are generated and evaluated, semantics grounding localizes and connects supporting program evidence, and knowledge grounding supports behavioral attribution through externally verifiable threat knowledge. To study this hypothesis, we present Malaika, a multi-agent framework that operationalizes the three grounding mechanisms through analyst-inspired reasoning, tool-mediated evidence localization, and retrieval-based behavioral attribution. We instantiate Malaika for Android malware analysis and evaluate it on malware-understanding tasks. Results show that Malaika improves analysis quality over prior LLM-based malware-analysis frameworks and demonstrate that reliability depends not only on model capability but also on the reasoning process. In particular, comparisons against malware-analysis systems and frontier agentic frameworks show that grounding-aware reasoning produces more precise and auditable conclusions. Ablation studies further support the grounding hypothesis. These findings suggest that grounding-aware reasoning provides a principled foundation for reliable malware understanding and, more broadly, for evidence-grounded software analysis.
Problem

Research questions and friction points this paper is trying to address.

malware understanding
behavior reconstruction
partial observability
auditable conclusion
evidence grounding
Innovation

Methods, ideas, or system contributions that make the work stand out.

tri-grounded reasoning
malware understanding
multi-agent framework
behavior reconstruction
evidence grounding