TY - GEN
T1 - Augmented YARA Rules Fused with Fuzzy Hashing in Ransomware Triaging
AU - Naik, Nitin
AU - Jenkins, Paul
AU - Savage, Nick
AU - Yang, Longzhi
AU - Naik, Kshirasagar
AU - Song, Jingping
N1 - Publisher Copyright:
© 2019 IEEE.
PY - 2019/12
Y1 - 2019/12
N2 - Triaging is an initial stage of malware analysis to assess whether a sample is malware or not and the degree of similarity it holds with known malware. It can be applied to any malware category such as ransomware, which is a type of malware that blocks access to a system or data, usually by encrypting it. It has become the main modus operandi for cybercriminals to extort monies from victims due to the growth of cryptocurrencies. Consequently, it severely affects all types of users whether they be from corporates or ordinary home users. Ransomware can be prevented in several different ways, however, the simple and initial step in prevention is its triaging without execution. Several triaging methods are in use such as fuzzy hashing, import hashing and YARA rules, amongst all, YARA rules are one of the most popular and widely used methods. Nonetheless, its success or failure is dependent on the quality of rules employed for malware triaging. This paper performs ransomware triaging using fuzzy hashing, import hashing and YARA rules and demonstrates how YARA rules can be improved using fuzzy hashing to obtain relatively better triaging results. Subsequently, it proposes the augmented YARA rules fused with fuzzy hashing to obtain improved triaging results and performance efficiency in comparison to all three triaging methods individually. Finally, the paper demonstrates how the use of the fused YARA rules can improve triaging results irrespective of the type of malware.
AB - Triaging is an initial stage of malware analysis to assess whether a sample is malware or not and the degree of similarity it holds with known malware. It can be applied to any malware category such as ransomware, which is a type of malware that blocks access to a system or data, usually by encrypting it. It has become the main modus operandi for cybercriminals to extort monies from victims due to the growth of cryptocurrencies. Consequently, it severely affects all types of users whether they be from corporates or ordinary home users. Ransomware can be prevented in several different ways, however, the simple and initial step in prevention is its triaging without execution. Several triaging methods are in use such as fuzzy hashing, import hashing and YARA rules, amongst all, YARA rules are one of the most popular and widely used methods. Nonetheless, its success or failure is dependent on the quality of rules employed for malware triaging. This paper performs ransomware triaging using fuzzy hashing, import hashing and YARA rules and demonstrates how YARA rules can be improved using fuzzy hashing to obtain relatively better triaging results. Subsequently, it proposes the augmented YARA rules fused with fuzzy hashing to obtain improved triaging results and performance efficiency in comparison to all three triaging methods individually. Finally, the paper demonstrates how the use of the fused YARA rules can improve triaging results irrespective of the type of malware.
KW - fuzzy hashing
KW - import hashing
KW - mvhash-b
KW - ran-somware
KW - sdhash
KW - ssdeep
KW - wannacry
KW - wannacryptor
KW - yara rules
UR - http://www.scopus.com/inward/record.url?scp=85080958929&partnerID=8YFLogxK
U2 - 10.1109/SSCI44817.2019.9002773
DO - 10.1109/SSCI44817.2019.9002773
M3 - Conference contribution
AN - SCOPUS:85080958929
T3 - 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019
SP - 625
EP - 632
BT - 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019
Y2 - 6 December 2019 through 9 December 2019
ER -