This work addresses the challenge that current large language models (LLMs) struggle to effectively identify malicious code dispersed across multiple files, as its behavior is often obscured by abundant benign code. To overcome this limitation, the authors propose a graph-guided analysis framework that first constructs a code dependency graph to capture cross-file relationships. Node semantics and structural information are encoded using an LLM, and a graph neural network is trained for initial detection. Subsequently, a graph-guided attention mechanism is introduced to steer the LLM toward critical regions for fine-grained analysis. The approach significantly reduces interference from irrelevant context and lowers annotation costs under sparse labeling conditions. Experimental results on multiple public and custom datasets demonstrate superior performance over existing methods, highlighting its strong practical applicability.

Large Language Models (LLMs) have significantly advanced code analysis tasks, yet they struggle to detect malicious behaviors fragmented across files, whose intricate dependencies easily get lost in the vast amount of benign code. We therefore propose a graph-centric attention acquisition pipeline that enhances LLMs'ability to localize malicious behavior. The approach parses a project into a code graph, uses an LLM to encode nodes with semantic and structural signals, and trains a Graph Neural Network (GNN) under sparse supervision. The GNN performs an initial detection, and by interpreting these predictions, identifies key code sections that are most likely to contain malicious behavior. These influential regions are then used to guide the LLM's attention for in-depth analysis. This strategy significantly reduces interference from irrelevant context while maintaining low annotation costs. Extensive experiments show that the method consistently outperforms existing approaches on multiple public and custom datasets, highlighting its potential for practical deployment in software security scenarios.