Abstract: Existing Linux malware analysis tools often struggle to scale across diverse CPU architectures, while many automated detectors provide only coarse-grained verdicts with limited evidence for forensic analysis. We present MirrorShield, a lightweight dynamic analysis framework that executes multi-architecture Linux binaries via containerized QEMU user-mode emulation and collects syscall-level telemetry through an eBPF-based kernel monitor.
Research Statement: AI agents are now used in many critical tasks. This creates clear risks: