Embedded YARA rules: strengthening YARA rules utilising fuzzy hashing and fuzzy rules for malware analysis
- PDF / 1,577,734 Bytes
- 16 Pages / 595.276 x 790.866 pts Page_size
- 48 Downloads / 300 Views
ORIGINAL ARTICLE
Embedded YARA rules: strengthening YARA rules utilising fuzzy hashing and fuzzy rules for malware analysis Nitin Naik1 · Paul Jenkins2 · Nick Savage2 · Longzhi Yang3 · Tossapon Boongoen4 · Natthakan Iam-On4 · Kshirasagar Naik5 · Jingping Song6 Received: 6 July 2020 / Accepted: 5 November 2020 © The Author(s) 2020
Abstract The YARA rules technique is used in cybersecurity to scan for malware, often in its default form, where rules are created either manually or automatically. Creating YARA rules that enable analysts to label files as suspected malware is a highly technical skill, requiring expertise in cybersecurity. Therefore, in cases where rules are either created manually or automatically, it is desirable to improve both the performance and detection outcomes of the process. In this paper, two methods are proposed utilising the techniques of fuzzy hashing and fuzzy rules, to increase the effectiveness of YARA rules without escalating the complexity and overheads associated with YARA rules. The first proposed method utilises fuzzy hashing referred to as enhanced YARA rules in this paper, where if existing YARA rules fails to detect the inspected file as malware, then it is subjected to fuzzy hashing to assess whether this technique would identify it as malware. The second proposed technique called embedded YARA rules utilises fuzzy hashing and fuzzy rules to improve the outcomes further. Fuzzy rules countenance circumstances where data are imprecise or uncertain, generating a probabilistic outcome indicating the likelihood of whether a file is malware or not. The paper discusses the success of the proposed enhanced YARA rules and embedded YARA rules through several experiments on the collected malware and goodware corpus and their comparative evaluation against YARA rules. Keywords Malware analysis · YARA rules · Fuzzy rules · Fuzzy logic · Fuzzy hashing · Cybersecurity · Ransomware · Indicator of compromise · IoC string
Introduction YARA is an established malware analysis technique, discovering malware based on their strings and signature matching [47]. YARA rules are written based on reverse engineer-
B
Nitin Naik [email protected]
ing malware families and finding Indicator of Compromise (IoC) strings. YARA rules are very effective due to their customisable features by which any individual or enterprise can develop their own rules as per their requirement for targetJingping Song [email protected] 1
School of Informatics and Digital Engineering, Aston University, Birmingham, UK
2
School of Computing, University of Portsmouth, Portsmouth, UK
3
Department of Computer and Information Sciences, Northumbria University, Newcastle upon Tyne, UK
4
Center of Excellence in AI and Emerging Technologies, School of Information Technology, Mae Fah Luang University, Chiang Rai, Thailand
Natthakan Iam-On [email protected]
5
Department of Electrical and Computer Engineering, University of Waterloo, Waterloo, Canada
Kshirasagar Naik [email protected]
6
Software College, Northeastern Un
Data Loading...
