Alerting the Quiet Failure of Yara Rules

Project Title:

Alerting the Quiet Failure of Yara Rules

Supervisors:

Dr Iqbal Gondal (SoEITPS), Dr Joarder Kamruzzaman (SoEITPS)

Contact Person:

Dr Iqbal Gondal Iqbal.gondal@federation.edu.au

Project Brief

Yara rules are regular expressions that represent opcodes or strings found in unpacked malware samples. Yara rules are widely used by the computer security industry, as they provide a fast and effective method for the identification of malware families. A drawback of yara rules is that the regular expressions in yara rules are closely related to specific malware versions, and when a new version of the malware is released, the regular expressions in the yara rules may no longer be able to detect the new version. Yara rules fail quietly, they simply no longer detect the new malware version. This research proposes the use of machine learning clustering of unpacked malware samples in conjunction with yara rules, to determine whether the clustering process is able to identify that a malware variant which is not detected by existing yara rules is able to be identified by clustering. The presence of malware that is not detected by existing yara rules in the cluster could be used as a trigger to identify a problem.