Automatic Yara Rule Generation Using Biclustering

Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security Pub Date : 2020-09-06 DOI:10.1145/3411508.3421372

Edward Raff, Richard Zak, Gary Lopez Munoz, William Fleming, H. Anderson, Bobby Filar, Charles K. Nicholas, James Holt

{"title":"Automatic Yara Rule Generation Using Biclustering","authors":"Edward Raff, Richard Zak, Gary Lopez Munoz, William Fleming, H. Anderson, Bobby Filar, Charles K. Nicholas, James Holt","doi":"10.1145/3411508.3421372","DOIUrl":null,"url":null,"abstract":"Yara rules are a ubiquitous tool among cybersecurity practitioners and analysts. Developing high-quality Yara rules to detect a malware family of interest can be labor- and time-intensive, even for expert users. Few tools exist and relatively little work has been done on how to automate the generation of Yara rules for specific families. In this paper, we leverage large n-grams (n ≥ 8) combined with a new biclustering algorithm to construct simple Yara rules more effectively than currently available software. Our method, AutoYara, is fast, allowing for deployment on low-resource equipment for teams that deploy to remote networks. Our results demonstrate that AutoYara can help reduce analyst workload by producing rules with useful true-positive rates while maintaining low false-positive rates, sometimes matching or even outperforming human analysts.In addition, real-world testing by malware analysts indicates AutoYara could reduce analyst time spent constructing Yara rules by 44-86%, allowing them to spend their time on the more advanced malware that current tools can't handle. Code will be made available at https://github.com/NeuromorphicComputationResearchProgram.","PeriodicalId":132987,"journal":{"name":"Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security","volume":"23 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-09-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"13","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3411508.3421372","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 13

Abstract

Yara rules are a ubiquitous tool among cybersecurity practitioners and analysts. Developing high-quality Yara rules to detect a malware family of interest can be labor- and time-intensive, even for expert users. Few tools exist and relatively little work has been done on how to automate the generation of Yara rules for specific families. In this paper, we leverage large n-grams (n ≥ 8) combined with a new biclustering algorithm to construct simple Yara rules more effectively than currently available software. Our method, AutoYara, is fast, allowing for deployment on low-resource equipment for teams that deploy to remote networks. Our results demonstrate that AutoYara can help reduce analyst workload by producing rules with useful true-positive rates while maintaining low false-positive rates, sometimes matching or even outperforming human analysts.In addition, real-world testing by malware analysts indicates AutoYara could reduce analyst time spent constructing Yara rules by 44-86%, allowing them to spend their time on the more advanced malware that current tools can't handle. Code will be made available at https://github.com/NeuromorphicComputationResearchProgram.

查看原文本刊更多论文

使用双聚类自动生成雅拉规则

Yara规则是网络安全从业者和分析师普遍使用的工具。开发高质量的Yara规则来检测感兴趣的恶意软件家族可能需要大量的劳动和时间，即使对于专家用户也是如此。关于如何为特定家庭自动生成Yara规则的工具很少，工作也相对较少。在本文中，我们利用大n-grams (n≥8)结合一种新的双聚类算法来构建简单的Yara规则，比目前可用的软件更有效。我们的方法AutoYara速度很快，允许部署到远程网络的团队在低资源设备上进行部署。我们的结果表明，AutoYara可以通过生成具有有用的真阳性率的规则来帮助减少分析师的工作量，同时保持较低的假阳性率，有时可以匹配甚至优于人类分析师。此外，恶意软件分析师的实际测试表明，AutoYara可以将分析师构建Yara规则的时间减少44-86%，使他们能够将时间花在当前工具无法处理的更高级的恶意软件上。代码将在https://github.com/NeuromorphicComputationResearchProgram上提供。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security

自引率

0.00%

发文量