Embedding Fuzzy Rules with YARA Rules for Performance Optimisation of Malware Analysis

Nitin Naik; Paul Jenkins; Nick Savage; Longzhi Yang; Kshirasagar Naik; Jingping Song

doi:10.1109/FUZZ48607.2020.9177856

Embedding Fuzzy Rules with YARA Rules for Performance Optimisation of Malware Analysis

Nitin Naik, Paul Jenkins, Nick Savage, Longzhi Yang, Kshirasagar Naik, Jingping Song

College of Engineering and Physical Sciences

Research output: Chapter in Book/Published conference output › Conference publication

Abstract

YARA rules utilises string or pattern matching to perform malware analysis and is one of the most effective methods in use today. However, its effectiveness is dependent on the quality and quantity of YARA rules employed in the analysis. This can be managed through the rule optimisation process, although, this may not necessarily guarantee effective utilisation of YARA rules and its generated findings during its execution phase, as the main focus of YARA rules is in determining whether to trigger a rule or not, for a suspect sample after examining its rule condition. YARA rule conditions are Boolean expressions, mostly focused on the binary outcome of the malware analysis, which may limit the optimised use of YARA rules and its findings despite generating significant information during the execution phase. Therefore, this paper proposes embedding fuzzy rules with YARA rules to optimise its performance during the execution phase. Fuzzy rules can manage imprecise and incomplete data and encompass a broad range of conditions, which may not be possible in Boolean logic. This embedding may be more advantageous when the YARA rules become more complex, resulting in multiple complex conditions, which may not be processed efficiently utilising Boolean expressions alone, thus compromising effective decision-making. This proposed embedded approach is applied on a collected malware corpus and is tested against the standard and enhanced YARA rules to demonstrate its success.

Original language	English
Title of host publication	2020 IEEE International Conference on Fuzzy Systems, FUZZ 2020 - Proceedings
Publisher	IEEE
ISBN (Electronic)	9781728169323
DOIs	https://doi.org/10.1109/FUZZ48607.2020.9177856
Publication status	Published - 26 Aug 2020
Event	2020 IEEE International Conference on Fuzzy Systems, FUZZ 2020 - Glasgow, United Kingdom Duration: 19 Jul 2020 → 24 Jul 2020

Publication series

Name	IEEE International Conference on Fuzzy Systems
Volume	2020-July
ISSN (Print)	1098-7584

Conference

Conference	2020 IEEE International Conference on Fuzzy Systems, FUZZ 2020
Country/Territory	United Kingdom
City	Glasgow
Period	19/07/20 → 24/07/20

Bibliographical note

© 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

Keywords

Fuzzy Hashing
Fuzzy Logic
Fuzzy Rules
Malware Analysis
Performance Optimisation
Ransomware
YARA Rules

Access to Document

10.1109/FUZZ48607.2020.9177856

FUZZ-IEEE-20-Embedded-YARA-Rules
© 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Accepted author manuscript, 808 KB

Cite this

Naik, N., Jenkins, P., Savage, N., Yang, L., Naik, K., & Song, J. (2020). Embedding Fuzzy Rules with YARA Rules for Performance Optimisation of Malware Analysis. In 2020 IEEE International Conference on Fuzzy Systems, FUZZ 2020 - Proceedings Article 9177856 (IEEE International Conference on Fuzzy Systems; Vol. 2020-July). IEEE. https://doi.org/10.1109/FUZZ48607.2020.9177856

@inproceedings{8c8c955b5057479eb0ff7968de139664,

title = "Embedding Fuzzy Rules with YARA Rules for Performance Optimisation of Malware Analysis",

abstract = "YARA rules utilises string or pattern matching to perform malware analysis and is one of the most effective methods in use today. However, its effectiveness is dependent on the quality and quantity of YARA rules employed in the analysis. This can be managed through the rule optimisation process, although, this may not necessarily guarantee effective utilisation of YARA rules and its generated findings during its execution phase, as the main focus of YARA rules is in determining whether to trigger a rule or not, for a suspect sample after examining its rule condition. YARA rule conditions are Boolean expressions, mostly focused on the binary outcome of the malware analysis, which may limit the optimised use of YARA rules and its findings despite generating significant information during the execution phase. Therefore, this paper proposes embedding fuzzy rules with YARA rules to optimise its performance during the execution phase. Fuzzy rules can manage imprecise and incomplete data and encompass a broad range of conditions, which may not be possible in Boolean logic. This embedding may be more advantageous when the YARA rules become more complex, resulting in multiple complex conditions, which may not be processed efficiently utilising Boolean expressions alone, thus compromising effective decision-making. This proposed embedded approach is applied on a collected malware corpus and is tested against the standard and enhanced YARA rules to demonstrate its success.",

keywords = "Fuzzy Hashing, Fuzzy Logic, Fuzzy Rules, Malware Analysis, Performance Optimisation, Ransomware, YARA Rules",

author = "Nitin Naik and Paul Jenkins and Nick Savage and Longzhi Yang and Kshirasagar Naik and Jingping Song",

note = "{\textcopyright} 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.; 2020 IEEE International Conference on Fuzzy Systems, FUZZ 2020 ; Conference date: 19-07-2020 Through 24-07-2020",

year = "2020",

month = aug,

day = "26",

doi = "10.1109/FUZZ48607.2020.9177856",

language = "English",

series = "IEEE International Conference on Fuzzy Systems",

publisher = "IEEE",

booktitle = "2020 IEEE International Conference on Fuzzy Systems, FUZZ 2020 - Proceedings",

address = "United States",

}

Naik, N, Jenkins, P, Savage, N, Yang, L, Naik, K & Song, J 2020, Embedding Fuzzy Rules with YARA Rules for Performance Optimisation of Malware Analysis. in 2020 IEEE International Conference on Fuzzy Systems, FUZZ 2020 - Proceedings., 9177856, IEEE International Conference on Fuzzy Systems, vol. 2020-July, IEEE, 2020 IEEE International Conference on Fuzzy Systems, FUZZ 2020, Glasgow, United Kingdom, 19/07/20. https://doi.org/10.1109/FUZZ48607.2020.9177856

Embedding Fuzzy Rules with YARA Rules for Performance Optimisation of Malware Analysis. / Naik, Nitin; Jenkins, Paul; Savage, Nick et al.
2020 IEEE International Conference on Fuzzy Systems, FUZZ 2020 - Proceedings. IEEE, 2020. 9177856 (IEEE International Conference on Fuzzy Systems; Vol. 2020-July).

Research output: Chapter in Book/Published conference output › Conference publication

TY - GEN

T1 - Embedding Fuzzy Rules with YARA Rules for Performance Optimisation of Malware Analysis

AU - Naik, Nitin

AU - Jenkins, Paul

AU - Savage, Nick

AU - Yang, Longzhi

AU - Naik, Kshirasagar

AU - Song, Jingping

N1 - © 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

PY - 2020/8/26

Y1 - 2020/8/26

N2 - YARA rules utilises string or pattern matching to perform malware analysis and is one of the most effective methods in use today. However, its effectiveness is dependent on the quality and quantity of YARA rules employed in the analysis. This can be managed through the rule optimisation process, although, this may not necessarily guarantee effective utilisation of YARA rules and its generated findings during its execution phase, as the main focus of YARA rules is in determining whether to trigger a rule or not, for a suspect sample after examining its rule condition. YARA rule conditions are Boolean expressions, mostly focused on the binary outcome of the malware analysis, which may limit the optimised use of YARA rules and its findings despite generating significant information during the execution phase. Therefore, this paper proposes embedding fuzzy rules with YARA rules to optimise its performance during the execution phase. Fuzzy rules can manage imprecise and incomplete data and encompass a broad range of conditions, which may not be possible in Boolean logic. This embedding may be more advantageous when the YARA rules become more complex, resulting in multiple complex conditions, which may not be processed efficiently utilising Boolean expressions alone, thus compromising effective decision-making. This proposed embedded approach is applied on a collected malware corpus and is tested against the standard and enhanced YARA rules to demonstrate its success.

AB - YARA rules utilises string or pattern matching to perform malware analysis and is one of the most effective methods in use today. However, its effectiveness is dependent on the quality and quantity of YARA rules employed in the analysis. This can be managed through the rule optimisation process, although, this may not necessarily guarantee effective utilisation of YARA rules and its generated findings during its execution phase, as the main focus of YARA rules is in determining whether to trigger a rule or not, for a suspect sample after examining its rule condition. YARA rule conditions are Boolean expressions, mostly focused on the binary outcome of the malware analysis, which may limit the optimised use of YARA rules and its findings despite generating significant information during the execution phase. Therefore, this paper proposes embedding fuzzy rules with YARA rules to optimise its performance during the execution phase. Fuzzy rules can manage imprecise and incomplete data and encompass a broad range of conditions, which may not be possible in Boolean logic. This embedding may be more advantageous when the YARA rules become more complex, resulting in multiple complex conditions, which may not be processed efficiently utilising Boolean expressions alone, thus compromising effective decision-making. This proposed embedded approach is applied on a collected malware corpus and is tested against the standard and enhanced YARA rules to demonstrate its success.

KW - Fuzzy Hashing

KW - Fuzzy Logic

KW - Fuzzy Rules

KW - Malware Analysis

KW - Performance Optimisation

KW - Ransomware

KW - YARA Rules

UR - http://www.scopus.com/inward/record.url?scp=85090497908&partnerID=8YFLogxK

UR - https://ieeexplore.ieee.org/document/9177856

U2 - 10.1109/FUZZ48607.2020.9177856

DO - 10.1109/FUZZ48607.2020.9177856

M3 - Conference publication

AN - SCOPUS:85090497908

T3 - IEEE International Conference on Fuzzy Systems

BT - 2020 IEEE International Conference on Fuzzy Systems, FUZZ 2020 - Proceedings

PB - IEEE

T2 - 2020 IEEE International Conference on Fuzzy Systems, FUZZ 2020

Y2 - 19 July 2020 through 24 July 2020

ER -

Embedding Fuzzy Rules with YARA Rules for Performance Optimisation of Malware Analysis

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cite this