Zero-day malware detection remains challenging due to the absence of prior knowledge about unseen threats. Method: This paper proposes a novel detection paradigm integrating dynamic binary instrumentation (DBI) with Transformer-based modeling. Leveraging Peekaboo, it extracts fine-grained, real-world assembly-level behavioral sequences—treating x86/x64 ASM instructions as natural language tokens for the first time. Sequence modeling is guided by Zipf’s law, and a function co-occurrence pruning mechanism enforces learning of contextual dependencies and novel instruction combinations, mitigating feature memorization. Unlike conventional approaches relying on static features or API call graphs, this method operates directly on low-level instruction semantics. Contribution/Results: The framework achieves 100% detection accuracy on ransomware, worm, and APT samples, with zero false positives and zero false negatives in malicious/benign classification—demonstrating exceptional robustness and generalization capability against previously unseen malware.

The effectiveness of an AI model in accurately classifying novel malware hinges on the quality of the features it is trained on, which in turn depends on the effectiveness of the analysis tool used. Peekaboo, a Dynamic Binary Instrumentation (DBI) tool, defeats malware evasion techniques to capture authentic behavior at the Assembly (ASM) instruction level. This behavior exhibits patterns consistent with Zipf's law, a distribution commonly seen in natural languages, making Transformer models particularly effective for binary classification tasks. We introduce Alpha, a framework for zero day malware detection that leverages Transformer models and ASM language. Alpha is trained on malware and benign software data collected through Peekaboo, enabling it to identify entirely new samples with exceptional accuracy. Alpha eliminates any common functions from the test samples that are in the training dataset. This forces the model to rely on contextual patterns and novel ASM instruction combinations to detect malicious behavior, rather than memorizing familiar features. By combining the strengths of DBI, ASM analysis, and Transformer architectures, Alpha offers a powerful approach to proactively addressing the evolving threat of malware. Alpha demonstrates perfect accuracy for Ransomware, Worms and APTs with flawless classification for both malicious and benign samples. The results highlight the model's exceptional performance in detecting truly new malware samples.