Embedded YARA rules:strengthening YARA rules utilising fuzzy hashing and fuzzy rules for malware analysis

Abstract

The YARA rules technique is used in cybersecurity to scan for malware, often in its default form, where rules are created either manually or automatically. Creating YARA rules that enable analysts to label files as suspected malware is a highly technical skill, requiring expertise in cybersecurity. Therefore, in cases where rules are either created manually or automatically, it is desirable to improve both the performance and detection outcomes of the process. In this paper, two methods are proposed utilising the techniques of fuzzy hashing and fuzzy rules, to increase the effectiveness of YARA rules without escalating the complexity and overheads associated with YARA rules. The first proposed method utilises fuzzy hashing referred to as enhanced YARA rules in this paper, where if existing YARA rules fails to detect the inspected file as malware, then it is subjected to fuzzy hashing to assess whether this technique would identify it as malware. The second proposed technique called embedded YARA rules utilises fuzzy hashing and fuzzy rules to improve the outcomes further. Fuzzy rules countenance circumstances where data are imprecise or uncertain, generating a probabilistic outcome indicating the likelihood of whether a file is malware or not. The paper discusses the success of the proposed enhanced YARA rules and embedded YARA rules through several experiments on the collected malware and goodware corpus and their comparative evaluation against YARA rules.

Publication DOI: https://doi.org/10.1007/s40747-020-00233-5
Divisions: College of Engineering & Physical Sciences
Additional Information: This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
Uncontrolled Keywords: Malware Analysis,YARA Rules,Fuzzy Rules,Fuzzy Logic,Fuzzy Hashing,Cybersecurity,Ransomware,Indicator of compromise,IoC string
Publication ISSN: 2198-6053
Last Modified: 27 Mar 2024 08:16
Date Deposited: 23 Nov 2020 08:44
Full Text Link:
Related URLs: https://link.sp ... 747-020-00233-5 (Publisher URL)
PURE Output Type: Article
Published Date: 2021-04
Published Online Date: 2020-11-23
Accepted Date: 2020-11-05
Authors: Naik, Nitin (ORCID Profile 0000-0002-0659-9646)
Jenkins, Paul
Savage, Nick
Yang, Longzhi
Boongoen, Tossapon
Iam-On, Natthakan
Naik, Kshirasagar
Song, Jingping

Download

[img]

Version: Published Version

License: Creative Commons Attribution

| Preview

Export / Share Citation


Statistics

Additional statistics for this record