TY - GEN
T1 - Evaluating Automatically Generated YARA Rules and Enhancing Their Effectiveness
AU - Naik, Nitin
AU - Jenkins, Paul
AU - Cooke, Roger
AU - Gillett, Jonathan
AU - Jin, Yaochu
N1 - Publisher Copyright:
© 2020 IEEE.
PY - 2020/12/1
Y1 - 2020/12/1
N2 - Emerging as a widely accepted technique for malware analysis, YARA rules due to its flexible and customisable nature, allows malware analysts to develop rules according to the requirements of a specific security domain. YARA rules can be automatically generated using tools, however, they may require post-processing for their optimisation, and may not be effective for the specific security domain. This compels the requirement to enhance automatically generated YARA rules and increase their effectiveness for malware analysis without increasing computational overheads. Reflecting on the above requirement, this paper initially evaluates automatically generated YARA rules using three YARA tools: yarGen, yaraGenerator and yabin. These tools are Python-based open-source tools used to generate YARA rules automatically utilising different underlying techniques. Subsequently, it proposes a method to enhance automatically generated YARA rules using a fuzzy hashing method. This proposed enhancement method can improve the effectiveness of YARA rules irrespective of the chosen YARA tool used to generate YARA rules, which is demonstrated through several experiments on samples of collected malware and goodware.
AB - Emerging as a widely accepted technique for malware analysis, YARA rules due to its flexible and customisable nature, allows malware analysts to develop rules according to the requirements of a specific security domain. YARA rules can be automatically generated using tools, however, they may require post-processing for their optimisation, and may not be effective for the specific security domain. This compels the requirement to enhance automatically generated YARA rules and increase their effectiveness for malware analysis without increasing computational overheads. Reflecting on the above requirement, this paper initially evaluates automatically generated YARA rules using three YARA tools: yarGen, yaraGenerator and yabin. These tools are Python-based open-source tools used to generate YARA rules automatically utilising different underlying techniques. Subsequently, it proposes a method to enhance automatically generated YARA rules using a fuzzy hashing method. This proposed enhancement method can improve the effectiveness of YARA rules irrespective of the chosen YARA tool used to generate YARA rules, which is demonstrated through several experiments on samples of collected malware and goodware.
KW - Fuzzy Hashing
KW - Indicator of Compromise
KW - IoC String.
KW - Malware Analysis
KW - Malware Analysis; YARA Rules; Fuzzy Hashing; yarGen
KW - Ransomware
KW - YARA Rules
KW - yabin
KW - yarGen, yaraGenerator
KW - yaraGenerator; yabin; Ransomware; Indicator of Compromise; IoC String.
UR - http://www.scopus.com/inward/record.url?scp=85099705844&partnerID=8YFLogxK
U2 - 10.1109/SSCI47803.2020.9308179
DO - 10.1109/SSCI47803.2020.9308179
M3 - Conference contribution
AN - SCOPUS:85099705844
T3 - 2020 IEEE Symposium Series on Computational Intelligence, SSCI 2020
SP - 1146
EP - 1153
BT - 2020 IEEE Symposium Series on Computational Intelligence, SSCI 2020
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2020 IEEE Symposium Series on Computational Intelligence, SSCI 2020
Y2 - 1 December 2020 through 4 December 2020
ER -