当前位置: X-MOL 学术Complex Intell. Syst. › 论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
Embedded YARA rules: strengthening YARA rules utilising fuzzy hashing and fuzzy rules for malware analysis
Complex & Intelligent Systems ( IF 5.0 ) Pub Date : 2020-11-23 , DOI: 10.1007/s40747-020-00233-5
Nitin Naik , Paul Jenkins , Nick Savage , Longzhi Yang , Tossapon Boongoen , Natthakan Iam-On , Kshirasagar Naik , Jingping Song

The YARA rules technique is used in cybersecurity to scan for malware, often in its default form, where rules are created either manually or automatically. Creating YARA rules that enable analysts to label files as suspected malware is a highly technical skill, requiring expertise in cybersecurity. Therefore, in cases where rules are either created manually or automatically, it is desirable to improve both the performance and detection outcomes of the process. In this paper, two methods are proposed utilising the techniques of fuzzy hashing and fuzzy rules, to increase the effectiveness of YARA rules without escalating the complexity and overheads associated with YARA rules. The first proposed method utilises fuzzy hashing referred to as enhanced YARA rules in this paper, where if existing YARA rules fails to detect the inspected file as malware, then it is subjected to fuzzy hashing to assess whether this technique would identify it as malware. The second proposed technique called embedded YARA rules utilises fuzzy hashing and fuzzy rules to improve the outcomes further. Fuzzy rules countenance circumstances where data are imprecise or uncertain, generating a probabilistic outcome indicating the likelihood of whether a file is malware or not. The paper discusses the success of the proposed enhanced YARA rules and embedded YARA rules through several experiments on the collected malware and goodware corpus and their comparative evaluation against YARA rules.



中文翻译:

嵌入式YARA规则:利用模糊散列和模糊规则加强YARA规则以进行恶意软件分析

YARA规则技术在网络安全中用于扫描恶意软件,通常以其默认形式进行,其中手动或自动创建规则。创建使分析人员能够将文件标记为可疑恶意软件的YARA规则是一项高度技术技能,需要网络安全方面的专业知识。因此,在手动或自动创建规则的情况下,需要同时改进过程的性能和检测结果。本文提出了两种利用模糊哈希和模糊规则的技术来提高YARA规则的有效性而又不增加与YARA规则相关的复杂性和开销的方法。本文提出的第一种方法利用了模糊散列,称为增强型YARA规则,如果现有的YARA规则无法将检查的文件检测为恶意软件,然后对其进行模糊哈希处理,以评估该技术是否会将其识别为恶意软件。提出的第二种技术称为嵌入式YARA规则,它利用模糊散列和模糊规则进一步改善结果。模糊规则在数据不精确或不确定的情况下出现,从而产生概率结果,指示文件是否为恶意软件的可能性。本文通过对收集到的恶意软件和良好软件语料进行的多次实验以及它们与YARA规则的比较评估,讨论了所提出的增强型YARA规则和嵌入式YARA规则的成功。模糊规则在数据不精确或不确定的情况下出现,从而产生概率结果,指示文件是否为恶意软件的可能性。本文通过对收集到的恶意软件和良好软件语料进行的多次实验以及它们与YARA规则的比较评估,讨论了所提出的增强型YARA规则和嵌入式YARA规则的成功。模糊规则在数据不精确或不确定的情况下出现,从而产生概率结果,指示文件是否为恶意软件的可能性。本文通过对收集到的恶意软件和良好软件语料进行的多次实验以及它们与YARA规则的比较评估,讨论了所提出的增强型YARA规则和嵌入式YARA规则的成功。

更新日期:2020-11-23
down
wechat
bug