Fuzzy Hashing Aided Enhanced YARA Rules for Malware Triaging

Abstract

Cybercriminals are becoming more sophisticated wearing a mask of anonymity and unleashing more destructive malware on a daily basis. The biggest challenge is coping with the abundance of malware created and filtering targeted samples of destructive malware for further investigation and analysis whilst discarding any inert samples, thus optimising the analysis by saving time, effort and resources. The most common technique is malware triaging to separate likely malware and unlikely malware samples. One such triaging technique is YARA rules, commonly used to detect and classify malware based on string and pattern matching, rules are triggered and alerted when their condition is satisfied. This pattern matching technique used by YARA rules and its detection rate can be improved in several ways, however, it can lead to bulky and complex rules that affect the performance of YARA rules. This paper proposes a fuzzy hashing aided enhanced YARA rules to improve the detection rate of YARA rules without significantly increasing the complexity and overheads inherent in the process. This proposed approach only uses an additional fuzzy hashing alongside basic YARA rules to complement each other, so that when one method cannot detect a match, then the other technique can. This work employs three triaging methods fuzzy hashing, import hashing and YARA rules to perform extensive experiments on the collected malware samples. The detection rate of enhanced YARA rules is compared against the detection rate of the employed triaging methods to demonstrate the improvement in the overall triaging results.

Publication DOI: https://doi.org/10.1109/SSCI47803.2020.9308189
Divisions: College of Engineering & Physical Sciences
Additional Information: © 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Event Title: 2020 IEEE Symposium Series on Computational Intelligence (SSCI)
Event Type: Other
Event Dates: 2020-12-01 - 2020-12-04
Uncontrolled Keywords: Fuzzy Hashing,Import Hashing,Indicator of Compromise,IoC String,Malware Triaging,Ransomware,YARA Rules,Artificial Intelligence,Computer Science Applications,Decision Sciences (miscellaneous)
ISBN: 978-1-7281-2548-0, 978-1-7281-2547-3
Last Modified: 20 May 2024 07:49
Date Deposited: 11 Jan 2021 12:24
Full Text Link:
Related URLs: https://ieeexpl ... ocument/9308189 (Publisher URL)
http://www.scop ... tnerID=8YFLogxK (Scopus URL)
PURE Output Type: Conference contribution
Published Date: 2021-01-05
Authors: Naik, Nitin (ORCID Profile 0000-0002-0659-9646)
Jenkins, Paul
Savage, Nick
Yang, Longzhi
Naik, Kshirasagar
Song, Jingping
Boongoen, Tossapon
Iam-On, Natthakan

Download

[img]

Version: Accepted Version

| Preview

Export / Share Citation


Statistics

Additional statistics for this record