TY - GEN
T1 - Embedding Fuzzy Rules with YARA Rules for Performance Optimisation of Malware Analysis
AU - Naik, Nitin
AU - Jenkins, Paul
AU - Savage, Nick
AU - Yang, Longzhi
AU - Naik, Kshirasagar
AU - Song, Jingping
N1 - © 2020 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
PY - 2020/8/26
Y1 - 2020/8/26
N2 - YARA rules utilises string or pattern matching to perform malware analysis and is one of the most effective methods in use today. However, its effectiveness is dependent on the quality and quantity of YARA rules employed in the analysis. This can be managed through the rule optimisation process, although, this may not necessarily guarantee effective utilisation of YARA rules and its generated findings during its execution phase, as the main focus of YARA rules is in determining whether to trigger a rule or not, for a suspect sample after examining its rule condition. YARA rule conditions are Boolean expressions, mostly focused on the binary outcome of the malware analysis, which may limit the optimised use of YARA rules and its findings despite generating significant information during the execution phase. Therefore, this paper proposes embedding fuzzy rules with YARA rules to optimise its performance during the execution phase. Fuzzy rules can manage imprecise and incomplete data and encompass a broad range of conditions, which may not be possible in Boolean logic. This embedding may be more advantageous when the YARA rules become more complex, resulting in multiple complex conditions, which may not be processed efficiently utilising Boolean expressions alone, thus compromising effective decision-making. This proposed embedded approach is applied on a collected malware corpus and is tested against the standard and enhanced YARA rules to demonstrate its success.
AB - YARA rules utilises string or pattern matching to perform malware analysis and is one of the most effective methods in use today. However, its effectiveness is dependent on the quality and quantity of YARA rules employed in the analysis. This can be managed through the rule optimisation process, although, this may not necessarily guarantee effective utilisation of YARA rules and its generated findings during its execution phase, as the main focus of YARA rules is in determining whether to trigger a rule or not, for a suspect sample after examining its rule condition. YARA rule conditions are Boolean expressions, mostly focused on the binary outcome of the malware analysis, which may limit the optimised use of YARA rules and its findings despite generating significant information during the execution phase. Therefore, this paper proposes embedding fuzzy rules with YARA rules to optimise its performance during the execution phase. Fuzzy rules can manage imprecise and incomplete data and encompass a broad range of conditions, which may not be possible in Boolean logic. This embedding may be more advantageous when the YARA rules become more complex, resulting in multiple complex conditions, which may not be processed efficiently utilising Boolean expressions alone, thus compromising effective decision-making. This proposed embedded approach is applied on a collected malware corpus and is tested against the standard and enhanced YARA rules to demonstrate its success.
KW - Fuzzy Hashing
KW - Fuzzy Logic
KW - Fuzzy Rules
KW - Malware Analysis
KW - Performance Optimisation
KW - Ransomware
KW - YARA Rules
UR - http://www.scopus.com/inward/record.url?scp=85090497908&partnerID=8YFLogxK
UR - https://ieeexplore.ieee.org/document/9177856
U2 - 10.1109/FUZZ48607.2020.9177856
DO - 10.1109/FUZZ48607.2020.9177856
M3 - Conference publication
AN - SCOPUS:85090497908
T3 - IEEE International Conference on Fuzzy Systems
BT - 2020 IEEE International Conference on Fuzzy Systems, FUZZ 2020 - Proceedings
PB - IEEE
T2 - 2020 IEEE International Conference on Fuzzy Systems, FUZZ 2020
Y2 - 19 July 2020 through 24 July 2020
ER -