A PDF Malware Detection Framework Integrating Graph Neural Networks and Large Language Models

This article introduces the GNN-LLM-PDF-Malware project on GitHub. This framework innovatively integrates graph neural networks (GNN) and large language models (LLM) to achieve PDF malware family classification, subfamily identification, and behavior analysis, breaking through the limitations of traditional binary detection and providing a multi-layered threat detection solution for the cybersecurity field.

Due to its complex structure (including JS code, embedded files, action scripts, etc.), PDF has become an important carrier for malicious propagation. Traditional detection methods (signature-based, static signatures) struggle to cope with evolving attacks, and simple machine learning cannot capture the structured information inside documents; moreover, merely determining whether a PDF is malicious or benign is insufficient—security analysts need deep intelligence such as family, behavior, and vulnerabilities to formulate defense strategies.

Application of GNN

The internal structure of PDF is suitable for graph representation (object references, JS call chains, etc., are modeled as nodes/edges). GNN excels at processing non-Euclidean data, can capture local structural features, propagate information, and identify abnormal subgraphs. The corresponding code file is Feature_Extraction_GNN.py.

Enhancement by LLM

LLM is good at understanding text content (JS code, metadata, etc.), can analyze code semantics, perform context reasoning, and generate behavior descriptions. The corresponding code includes the Finetune_LLM directory and LLM_evaluate.py.

The framework adopts a phased strategy:

1. Stage 1 & 2: GNN Feature Extraction: Parse the PDF into a graph structure via Feature_Extraction_GNN (Stage1 & 2).py, and GNN learns node representations (including structural and contextual information).
2. Stage 3: LLM Evaluation and Analysis: Output classification results via LLM_evaluate (Stage 3).py and generate natural language descriptions of malware behavior to assist analysts in understanding threats.

The project includes a Dataset directory that provides labeled data required for training (high-quality data is key to model robustness). Technical details include:

• PDF parsing and graph construction: Requires in-depth knowledge of PDF format to parse object structures, reference relationships, and active content.
• GNN model design: Optional architectures such as GCN, GAT, GraphSAGE are available; need to handle variable-length graph structures and learn discriminative representations.
• LLM fine-tuning strategy: Need to select a base model, design task prompt templates, handle long text input, etc.

This framework has value in multiple scenarios:

• Enterprise SOC: Automatically detect and provide context to help analysts quickly understand the severity of threats.
• Threat Intelligence Analysis: Track attack organization activities through family classification and understand malware evolution trends.
• Sandbox Enhancement: Static analysis complements dynamic sandbox results to form a comprehensive threat profile.

The framework faces challenges:

• Adversarial Sample Attacks: Malicious authors may modify PDF structures to evade detection, so model robustness needs to be enhanced.
• Computational Efficiency: GNN and LLM are computationally intensive; inference speed needs to be optimized to handle large-scale scanning. Future directions: Explore multi-modal fusion (adding visual information such as PDF rendered images) to improve detection capabilities.

The GNN-LLM-PDF-Malware project represents an important development direction in malware detection. By combining GNN's structural modeling and LLM's semantic understanding capabilities, it achieves a leap from simple classification to in-depth analysis. For security practitioners and researchers, it is both a practical tool and an important reference for AI applications in the security field, and will become a key component of next-generation security defense systems.