Automatic Yara Rule Generation Using Biclustering
| dc.contributor.author | Raff, Edward | |
| dc.contributor.author | Zak, Richard | |
| dc.contributor.author | Munoz, Gary Lopez | |
| dc.contributor.author | Fleming, William | |
| dc.contributor.author | Anderson, Hyrum S. | |
| dc.contributor.author | Filar, Bobby | |
| dc.contributor.author | Nicholas, Charles | |
| dc.contributor.author | Holt, James | |
| dc.date.accessioned | 2020-11-02T19:57:59Z | |
| dc.date.available | 2020-11-02T19:57:59Z | |
| dc.date.issued | 2020-09-06 | |
| dc.description | 13th ACM Workshop on Artificial Intelligence and Security (AISec) | |
| dc.description.abstract | Yara rules are a ubiquitous tool among cybersecurity practitioners and analysts. Developing high-quality Yara rules to detect a malware family of interest can be labor- and time-intensive, even for expert users. Few tools exist and relatively little work has been done on how to automate the generation of Yara rules for specific families. In this paper, we leverage large n-grams (n≥8) combined with a new biclustering algorithm to construct simple Yara rules more effectively than currently available software. Our method, AutoYara, is fast, allowing for deployment on low-resource equipment for teams that deploy to remote networks. Our results demonstrate that AutoYara can help reduce analyst workload by producing rules with useful true-positive rates while maintaining low false-positive rates, sometimes matching or even outperforming human analysts. In addition, real-world testing by malware analysts indicates AutoYara could reduce analyst time spent constructing Yara rules by 44-86%, allowing them to spend their time on the more advanced malware that current tools can't handle. | en_US |
| dc.description.uri | https://arxiv.org/abs/2009.03779 | en_US |
| dc.format.extent | 12 pages | en_US |
| dc.genre | conference papers and proceedings preprints | en_US |
| dc.identifier | doi:10.13016/m2qtkw-vl04 | |
| dc.identifier.citation | Edward Raff, Richard Zak, Gary Lopez Munoz, William Fleming, Hyrum S. Anderson, Bobby Filar, Charles Nicholas and James Holt, Automatic Yara Rule Generation Using Biclustering, https://arxiv.org/abs/2009.03779 | en_US |
| dc.identifier.uri | http://hdl.handle.net/11603/19996 | |
| dc.language.iso | en_US | en_US |
| dc.publisher | ACM | |
| dc.relation.isAvailableAt | The University of Maryland, Baltimore County (UMBC) | |
| dc.relation.ispartof | UMBC Computer Science and Electrical Engineering Department Collection | |
| dc.relation.ispartof | UMBC Faculty Collection | |
| dc.rights | This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author. | |
| dc.rights | Public Domain Mark 1.0 | * |
| dc.rights | This work was written as part of one of the author's official duties as an Employee of the United States Government and is therefore a work of the United States Government. In accordance with 17 U.S.C. 105, no copyright protection is available for such works under U.S. Law. | |
| dc.rights.uri | http://creativecommons.org/publicdomain/mark/1.0/ | * |
| dc.title | Automatic Yara Rule Generation Using Biclustering | en_US |
| dc.type | Text | en_US |