Fuzzy Hashing Aided Enhanced YARA Rules for Malware Triaging

Nitin Naik, Paul Jenkins, Nick Savage, Longzhi Yang, Kshirasagar Naik, Jingping Song, Tossapon Boongoen, Natthakan Iam-On

Research output: Chapter in Book/Published conference outputConference publication

Abstract

Cybercriminals are becoming more sophisticated wearing a mask of anonymity and unleashing more destructive malware on a daily basis. The biggest challenge is coping with the abundance of malware created and filtering targeted samples of destructive malware for further investigation and analysis whilst discarding any inert samples, thus optimising the analysis by saving time, effort and resources. The most common technique is malware triaging to separate likely malware and unlikely malware samples. One such triaging technique is YARA rules, commonly used to detect and classify malware based on string and pattern matching, rules are triggered and alerted when their condition is satisfied. This pattern matching technique used by YARA rules and its detection rate can be improved in several ways, however, it can lead to bulky and complex rules that affect the performance of YARA rules. This paper proposes a fuzzy hashing aided enhanced YARA rules to improve the detection rate of YARA rules without significantly increasing the complexity and overheads inherent in the process. This proposed approach only uses an additional fuzzy hashing alongside basic YARA rules to complement each other, so that when one method cannot detect a match, then the other technique can. This work employs three triaging methods fuzzy hashing, import hashing and YARA rules to perform extensive experiments on the collected malware samples. The detection rate of enhanced YARA rules is compared against the detection rate of the employed triaging methods to demonstrate the improvement in the overall triaging results.
Original languageEnglish
Title of host publication2020 IEEE Symposium Series on Computational Intelligence, SSCI 2020
PublisherIEEE
Pages1138-1145
Number of pages8
ISBN (Electronic)978-1-7281-2547-3
ISBN (Print)978-1-7281-2548-0
DOIs
Publication statusPublished - 5 Jan 2021
Event2020 IEEE Symposium Series on Computational Intelligence (SSCI) - Canberra, Australia
Duration: 1 Dec 20204 Dec 2020

Publication series

Name2020 IEEE Symposium Series on Computational Intelligence, SSCI 2020

Conference

Conference2020 IEEE Symposium Series on Computational Intelligence (SSCI)
Abbreviated titleSSCI
Country/TerritoryAustralia
CityCanberra
Period1/12/204/12/20

Bibliographical note

© 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

Keywords

  • Fuzzy Hashing
  • Import Hashing
  • Indicator of Compromise
  • IoC String
  • Malware Triaging
  • Ransomware
  • YARA Rules

Fingerprint

Dive into the research topics of 'Fuzzy Hashing Aided Enhanced YARA Rules for Malware Triaging'. Together they form a unique fingerprint.

Cite this