MARA: A Malware Analysis Reasoning Agent for Interpretable Android Malware Detection
<p dir="ltr"><b>MARA</b> is a next-generation Android malware detection framework that transforms fragmented static and behavioral signals into coherent, human-understandable malicious behavior chains. Unlike traditional black-box detectors or feature-centric learning mod...
Sparad:
| Huvudupphovsman: | |
|---|---|
| Publicerad: |
2025
|
| Ämnen: | |
| Taggar: |
Lägg till en tagg
Inga taggar, Lägg till första taggen!
|
| Sammanfattning: | <p dir="ltr"><b>MARA</b> is a next-generation Android malware detection framework that transforms fragmented static and behavioral signals into coherent, human-understandable malicious behavior chains. Unlike traditional black-box detectors or feature-centric learning models, MARA treats malware detection as a <b>behavior-centric reasoning problem</b>, powered by structured perception and multi-stage LLM reasoning.</p><p dir="ltr">MARA introduces a unified <i>perception–reasoning–action</i> pipeline that enables transparent, explainable, and semantically grounded Android malware analysis, offering both high detection accuracy and strong interpretability.</p><h2> <b>Key Features</b></h2><h3><b>1. Behavior-Centric Evidence Structuring (BCES)</b></h3><p dir="ltr">MARA reorganizes heterogeneous Android artifacts—permissions, API calls, components, ICC flows, and lightweight runtime signals—into a <b>structured, behavior-oriented evidence space</b>.<br>This design eliminates semantic fragmentation and exposes hidden relationships across signals such as:</p><p dir="ltr"><br></p><p dir="ltr"><br></p><ul><li>sensitive permission + data-access API</li><li>exported component + privilege operation</li><li>background tasks + network exfiltration</li></ul><p dir="ltr">BCES builds the foundation for coherent, chain-based reasoning.</p><h3><b>2. Multi-Stage Behavior Reasoning (BCMR)</b></h3><p dir="ltr">Instead of producing a single-pass prediction, MARA performs <b>progressive reasoning</b> using an LLM:</p><ol><li><b>Stage 1 — Initial Inspection</b><br>Identify suspicious behaviors at the evidence-block level.</li><li><b>Stage 2 — Context Enrichment</b><br>Infer missing or implicit cross-block relationships.</li><li><b>Stage 3 — Behavior-Chain Construction</b><br>Reconstruct the complete malicious behavior chain and make the final decision.</li></ol><p dir="ltr">This staged reasoning design enforces explicit, causal, and verifiable analysis—far more transparent than standard CoT or one-shot LLM inference.</p><h3><b>3. Explanation-Based Detection</b></h3><p dir="ltr">MARA outputs both:</p><ul><li><b>a final malware/benign decision</b>, and</li><li><b>a behavior-grounded explanation</b> that mirrors its actual reasoning trajectory</li></ul><p dir="ltr">This ensures high interpretability and eliminates the problem of post-hoc “fabricated explanations” common in LLM detectors.</p><h2> <b>Performance Highlights</b></h2><p dir="ltr">Across benchmark datasets (Drebin, AMD, CICMalDroid), MARA delivers:</p><ul><li><b>97.3% accuracy</b> on Drebin</li><li><b>96.4% accuracy</b> on AMD</li><li><b>94.7% accuracy</b> on CICMalDroid</li><li><b>Highest explanation quality</b> across clarity, semantic relevance, justification, and behavior-chain fidelity</li><li><b>Strong robustness</b> under obfuscation (renaming, packing, encryption)</li></ul><p dir="ltr">MARA consistently outperforms traditional static detectors, deep learning fusion models, and recent LLM-based malware analysis frameworks.</p><h2>️ <b>Robustness to Obfuscation</b></h2><p dir="ltr">MARA’s behavior-centric design allows it to remain stable under:</p><ul><li>symbol renaming</li><li>string/code encryption</li><li>DEX packing</li><li>NOP insertion</li></ul><p dir="ltr">Accuracy degradation is <b>2.5–4.0%</b>, significantly lower than existing baselines (5–10%).</p> |
|---|