Integrasi Ghidra MCP-LLM Untuk Analisis Forensik Malware

Rais, Sri Kusumo Fathoni (2026) Integrasi Ghidra MCP-LLM Untuk Analisis Forensik Malware. Other thesis, Institut Teknologi Sepuluh Nopember.

[thumbnail of 5025221233-Undergraduate_Thesis.pdf] Text
5025221233-Undergraduate_Thesis.pdf - Accepted Version
Restricted to Repository staff only
Download (4MB) | Request a copy

Abstract

Perkembangan teknologi dan banyaknya pengadopsi penggunaan internet turut memberikan kesempatan lebih besar untuk individu atau grup tertentu dalam melancarkan serangan siber, terutama dalam bidang malware. Penelitian ini bertujuan untuk mempercepat proses identifikasi perilaku berbahaya, membantu dalam interpretasi kode dekompilasi dan disassembly, serta memberikan rekomendasi dari hasil analisis yang dilakukan dengan melakukan integrasi Ghidra dengan LLM sebagai asisten analisis forensik malware menggunakan MCP sebagai protokol komunikasi. Penelitian ini mencakup perancangan arsitektur analisis forensik malware, pengujian sistem, hingga evaluasi LLM sebagai asisten analisis forensik malware. Alat-alat yang digunakan mencakup Ghidra, FlareVM, WSL, llama.cpp, hingga Open WebUI. Metode evaluasi yang digunakan mengadopsi task-based evaluation serta CAPA sebagai referensi yang konsisten untuk mengukur kemampuan penemuan kapabilitas dalam malware. Hasil dari tugas akhir ini adalah tahapan integrasi Ghidra dengan LLM menggunakan MCP, mengukur kemampuan LLM dalam menemukan kapabilitas serta ketepatan identifikasi perilaku malware, serta faktor-faktor yang mempengaruhi kemampuan LLM dalam menemukan kapabilitas serta ketepatan identifikasi perilaku malware. Integrasi dilakukan dengan konfigurasi IP statis pada FlareVM dan WSL, serta aturan netsh portproxy untuk komunikasi antar komponen. Open WebUI dijalankan menggunakan Docker di WSL, dengan llama.cpp sebagai LLM lokal dan OpenRouter sebagai layanan LLM eksternal. Hasil penelitian menunjukkan model LLM Qwen3.6 27B meningkatkan efektivitas analisis malware 1.5-4.5 kali dibanding metode manual dengan kemampuan memberikan penjelasan dan bukti analisis yang lebih lengkap. Efektivitas analisis dipengaruhi oleh context window, obfuskasi malware, kualitas konteks MCP, serta perbedaan tingkat abstraksi kapabilitas antara LLM dengan CAPA. Selain itu, LLM cenderung melakukan overinference dan perlu dilakukan validasi hasil analisis secara manual.
=================================================================================================================================
Technological developments and the large number of internet users also provide greater opportunities for certain individuals or groups to launch cyber attacks, especially in the field of malware. This study aims to accelerate the process of identifying malicious behavior, assist in the interpretation of decompiled and disassembled code, and provide recommendations from the results of the analysis conducted by integrating Ghidra with LLM as a malware forensic analysis assistant through the application of MCP. This research covers the design of malware forensic analysis architecture, system testing, and evaluation of LLM as a malware forensic analysis assistant. The tools used include Ghidra, FlareVM, WSL, llama.cpp, and Open WebUI. The evaluation method adopted task-based evaluation and CAPA as a consistent reference for measuring the ability to discover capabilities in malware. The results of this final project are the stages of integrating Ghidra with LLM using MCP, measuring the ability of LLM in discovering capabilities and the accuracy of malware behavior identification, and the factors that influence the ability of LLM in discovering capabilities and the accuracy of malware behavior identification. The integration was implemented through static IP configuration on FlareVM and WSL, along with netsh portproxy rules to enable communication between components. Open WebUI was deployed via Docker within WSL, with llama.cpp serving as the local LLM runtime and OpenRouter as the external LLM service provider. The research results show that the the Qwen3.6 27B LLM model improved malware analysis effectiveness by 1.5-4.5 times compared to manual methods, while providing more comprehensive explanations and analytical evidence. The effectiveness of the analysis was influenced by factors such as context window limitations, malware obfuscation techniques, the quality of MCP-provided context, and different levels of capability abstraction between LLM and CAPA. In addition, LLM tends to overinference and requires manual validation of analysis results.

Item Type: Thesis (Other)
Uncontrolled Keywords: Ghidra, LLM, MCP, Reverse Engineering, Malware, Analisis Malware, Malware Analysis
Subjects: Q Science > QA Mathematics > QA336 Artificial Intelligence
Q Science > QA Mathematics > QA76.585 Cloud computing. Mobile computing.
Q Science > QA Mathematics > QA76.6 Computer programming.
Q Science > QA Mathematics > QA76.625 Internet programming.
Q Science > QA Mathematics > QA76.758 Software engineering
Q Science > QA Mathematics > QA76.76.A63 Application program interfaces
Q Science > QA Mathematics > QA76.9.A25 Computer security. Digital forensic. Data encryption (Computer science)
Q Science > QA Mathematics > QA76.9.C55 Client/server computing
T Technology > T Technology (General) > T58.8 Productivity. Efficiency
Divisions: Faculty of Intelligent Electrical and Informatics Technology (ELECTICS) > Informatics Engineering > 55201-(S1) Undergraduate Thesis
Depositing User: Sri Kusumo Fathoni Rais
Date Deposited: 24 Jun 2026 05:57
Last Modified: 24 Jun 2026 05:57
URI: http://repository.its.ac.id/id/eprint/134024

Actions (login required)

View Item View Item