Augmented YARA Rules Fused with Fuzzy Hashing in Ransomware Triaging

Nitin Naik; Paul Jenkins; Nick Savage; Longzhi Yang; Kshirasagar Naik; Jingping Song

doi:10.1109/SSCI44817.2019.9002773

Augmented YARA Rules Fused with Fuzzy Hashing in Ransomware Triaging

Nitin Naik, Paul Jenkins, Nick Savage, Longzhi Yang, Kshirasagar Naik, Jingping Song

College of Engineering and Physical Sciences

Research output: Chapter in Book/Published conference output › Conference publication

Abstract

Triaging is an initial stage of malware analysis to assess whether a sample is malware or not and the degree of similarity it holds with known malware. It can be applied to any malware category such as ransomware, which is a type of malware that blocks access to a system or data, usually by encrypting it. It has become the main modus operandi for cybercriminals to extort monies from victims due to the growth of cryptocurrencies. Consequently, it severely affects all types of users whether they be from corporates or ordinary home users. Ransomware can be prevented in several different ways, however, the simple and initial step in prevention is its triaging without execution. Several triaging methods are in use such as fuzzy hashing, import hashing and YARA rules, amongst all, YARA rules are one of the most popular and widely used methods. Nonetheless, its success or failure is dependent on the quality of rules employed for malware triaging. This paper performs ransomware triaging using fuzzy hashing, import hashing and YARA rules and demonstrates how YARA rules can be improved using fuzzy hashing to obtain relatively better triaging results. Subsequently, it proposes the augmented YARA rules fused with fuzzy hashing to obtain improved triaging results and performance efficiency in comparison to all three triaging methods individually. Finally, the paper demonstrates how the use of the fused YARA rules can improve triaging results irrespective of the type of malware.

Original language	English
Title of host publication	2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019
Publisher	IEEE
Pages	625-632
Number of pages	8
ISBN (Electronic)	9781728124858
ISBN (Print)	978-1-7281-2486-5
DOIs	https://doi.org/10.1109/SSCI44817.2019.9002773
Publication status	Published - 20 Feb 2020
Event	2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019 - Xiamen, China Duration: 6 Dec 2019 → 9 Dec 2019

Publication series

Name	2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019

Conference

Conference	2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019
Country/Territory	China
City	Xiamen
Period	6/12/19 → 9/12/19

Bibliographical note

© 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

Keywords

fuzzy hashing
import hashing
mvhash-b
ran-somware
sdhash
ssdeep
wannacry
wannacryptor
yara rules

Access to Document

10.1109/SSCI44817.2019.9002773

Augmented YARA Rules Fused With Fuzzy Hashing in Ransomware Triaging
© 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Accepted author manuscript, 605 KB

Cite this

@inproceedings{86292e77a54747dda70c9db6b2d471f2,

title = "Augmented YARA Rules Fused with Fuzzy Hashing in Ransomware Triaging",

abstract = "Triaging is an initial stage of malware analysis to assess whether a sample is malware or not and the degree of similarity it holds with known malware. It can be applied to any malware category such as ransomware, which is a type of malware that blocks access to a system or data, usually by encrypting it. It has become the main modus operandi for cybercriminals to extort monies from victims due to the growth of cryptocurrencies. Consequently, it severely affects all types of users whether they be from corporates or ordinary home users. Ransomware can be prevented in several different ways, however, the simple and initial step in prevention is its triaging without execution. Several triaging methods are in use such as fuzzy hashing, import hashing and YARA rules, amongst all, YARA rules are one of the most popular and widely used methods. Nonetheless, its success or failure is dependent on the quality of rules employed for malware triaging. This paper performs ransomware triaging using fuzzy hashing, import hashing and YARA rules and demonstrates how YARA rules can be improved using fuzzy hashing to obtain relatively better triaging results. Subsequently, it proposes the augmented YARA rules fused with fuzzy hashing to obtain improved triaging results and performance efficiency in comparison to all three triaging methods individually. Finally, the paper demonstrates how the use of the fused YARA rules can improve triaging results irrespective of the type of malware.",

keywords = "fuzzy hashing, import hashing, mvhash-b, ran-somware, sdhash, ssdeep, wannacry, wannacryptor, yara rules",

author = "Nitin Naik and Paul Jenkins and Nick Savage and Longzhi Yang and Kshirasagar Naik and Jingping Song",

note = "{\textcopyright} 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.; 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019 ; Conference date: 06-12-2019 Through 09-12-2019",

year = "2020",

month = feb,

day = "20",

doi = "10.1109/SSCI44817.2019.9002773",

language = "English",

isbn = "978-1-7281-2486-5",

series = "2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019",

publisher = "IEEE",

pages = "625--632",

booktitle = "2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019",

address = "United States",

}

Naik, N, Jenkins, P, Savage, N, Yang, L, Naik, K & Song, J 2020, Augmented YARA Rules Fused with Fuzzy Hashing in Ransomware Triaging. in 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019., 9002773, 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019, IEEE, pp. 625-632, 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019, Xiamen, China, 6/12/19. https://doi.org/10.1109/SSCI44817.2019.9002773

Augmented YARA Rules Fused with Fuzzy Hashing in Ransomware Triaging. / Naik, Nitin; Jenkins, Paul; Savage, Nick et al.
2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019. IEEE, 2020. p. 625-632 9002773 (2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019).

Research output: Chapter in Book/Published conference output › Conference publication

TY - GEN

T1 - Augmented YARA Rules Fused with Fuzzy Hashing in Ransomware Triaging

AU - Naik, Nitin

AU - Jenkins, Paul

AU - Savage, Nick

AU - Yang, Longzhi

AU - Naik, Kshirasagar

AU - Song, Jingping

N1 - © 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

PY - 2020/2/20

Y1 - 2020/2/20

N2 - Triaging is an initial stage of malware analysis to assess whether a sample is malware or not and the degree of similarity it holds with known malware. It can be applied to any malware category such as ransomware, which is a type of malware that blocks access to a system or data, usually by encrypting it. It has become the main modus operandi for cybercriminals to extort monies from victims due to the growth of cryptocurrencies. Consequently, it severely affects all types of users whether they be from corporates or ordinary home users. Ransomware can be prevented in several different ways, however, the simple and initial step in prevention is its triaging without execution. Several triaging methods are in use such as fuzzy hashing, import hashing and YARA rules, amongst all, YARA rules are one of the most popular and widely used methods. Nonetheless, its success or failure is dependent on the quality of rules employed for malware triaging. This paper performs ransomware triaging using fuzzy hashing, import hashing and YARA rules and demonstrates how YARA rules can be improved using fuzzy hashing to obtain relatively better triaging results. Subsequently, it proposes the augmented YARA rules fused with fuzzy hashing to obtain improved triaging results and performance efficiency in comparison to all three triaging methods individually. Finally, the paper demonstrates how the use of the fused YARA rules can improve triaging results irrespective of the type of malware.

AB - Triaging is an initial stage of malware analysis to assess whether a sample is malware or not and the degree of similarity it holds with known malware. It can be applied to any malware category such as ransomware, which is a type of malware that blocks access to a system or data, usually by encrypting it. It has become the main modus operandi for cybercriminals to extort monies from victims due to the growth of cryptocurrencies. Consequently, it severely affects all types of users whether they be from corporates or ordinary home users. Ransomware can be prevented in several different ways, however, the simple and initial step in prevention is its triaging without execution. Several triaging methods are in use such as fuzzy hashing, import hashing and YARA rules, amongst all, YARA rules are one of the most popular and widely used methods. Nonetheless, its success or failure is dependent on the quality of rules employed for malware triaging. This paper performs ransomware triaging using fuzzy hashing, import hashing and YARA rules and demonstrates how YARA rules can be improved using fuzzy hashing to obtain relatively better triaging results. Subsequently, it proposes the augmented YARA rules fused with fuzzy hashing to obtain improved triaging results and performance efficiency in comparison to all three triaging methods individually. Finally, the paper demonstrates how the use of the fused YARA rules can improve triaging results irrespective of the type of malware.

KW - fuzzy hashing

KW - import hashing

KW - mvhash-b

KW - ran-somware

KW - sdhash

KW - ssdeep

KW - wannacry

KW - wannacryptor

KW - yara rules

UR - http://www.scopus.com/inward/record.url?scp=85080958929&partnerID=8YFLogxK

UR - https://ieeexplore.ieee.org/document/9002773

U2 - 10.1109/SSCI44817.2019.9002773

DO - 10.1109/SSCI44817.2019.9002773

M3 - Conference publication

AN - SCOPUS:85080958929

SN - 978-1-7281-2486-5

T3 - 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019

SP - 625

EP - 632

BT - 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019

PB - IEEE

T2 - 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019

Y2 - 6 December 2019 through 9 December 2019

ER -

Augmented YARA Rules Fused with Fuzzy Hashing in Ransomware Triaging

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this