Embedded YARA rules: strengthening YARA rules utilising fuzzy hashing and fuzzy rules for malware analysis

Naik, Nitin, Jenkins, Paul, Savage, Nick, Yang, Longzhi, Boongoen, Tossapon, Iam-On, Natthakan, Naik, Kshirasagar and Song, Jingping (2021) Embedded YARA rules: strengthening YARA rules utilising fuzzy hashing and fuzzy rules for malware analysis. Complex & Intelligent Systems, 7 (2). pp. 687-702. ISSN 2199-4536

[img]
Preview
Text
s40747-020-00233-5.pdf - Published Version
Available under License Creative Commons Attribution 4.0.

Download (1MB) | Preview
Official URL: https://doi.org/10.1007/s40747-020-00233-5

Abstract

The YARA rules technique is used in cybersecurity to scan for malware, often in its default form, where rules are created either manually or automatically. Creating YARA rules that enable analysts to label files as suspected malware is a highly technical skill, requiring expertise in cybersecurity. Therefore, in cases where rules are either created manually or automatically, it is desirable to improve both the performance and detection outcomes of the process. In this paper, two methods are proposed utilising the techniques of fuzzy hashing and fuzzy rules, to increase the effectiveness of YARA rules without escalating the complexity and overheads associated with YARA rules. The first proposed method utilises fuzzy hashing referred to as enhanced YARA rules in this paper, where if existing YARA rules fails to detect the inspected file as malware, then it is subjected to fuzzy hashing to assess whether this technique would identify it as malware. The second proposed technique called embedded YARA rules utilises fuzzy hashing and fuzzy rules to improve the outcomes further. Fuzzy rules countenance circumstances where data are imprecise or uncertain, generating a probabilistic outcome indicating the likelihood of whether a file is malware or not. The paper discusses the success of the proposed enhanced YARA rules and embedded YARA rules through several experiments on the collected malware and goodware corpus and their comparative evaluation against YARA rules.

Item Type: Article
Additional Information: Funding Information: The authors gratefully acknowledge the support of Hybrid-Analysis.com, Malshare.com and VirusTotal.com for this research work.
Uncontrolled Keywords: Cybersecurity, Fuzzy hashing, Fuzzy logic, Fuzzy rules, Indicator of compromise, IoC string, Malware analysis, Ransomware, YARA rules
Subjects: G400 Computer Science
G500 Information Systems
Department: Faculties > Engineering and Environment > Computer and Information Sciences
Depositing User: Rachel Branson
Date Deposited: 03 Aug 2022 13:59
Last Modified: 03 Aug 2022 14:00
URI: http://nrl.northumbria.ac.uk/id/eprint/49725

Actions (login required)

View Item View Item

Downloads

Downloads per month over past year

View more statistics