logo
allArticlesConferencesPresentations

Looking for the perfect signature: an automatic YARA rules generation algorithm in the AI-era

Conference:  Defcon 26

2018-08-01

Summary

Automatic generation of ER rules for Android using AI algorithms outperforms human-generated rules
  • Developed algorithms to automatically generate ER rules for Android using AI
  • Ultimate regenerator rules performed better than human-generated ones
  • Expert knowledge can be included in rule generation through attributes, attribute values, and optimization results
  • Approach is scalable and generates rules in minutes
  • Automatic generated signatures improved detection by up to 131% without generating false positives
The speaker demonstrated the use of a tool called Yellow Jumpy to generate a rule for the Sky Go Free family of Android applications. The tool downloaded reports of application analysis from the internet and generated a valid ER rule with a high score and coverage of all input samples. The speaker also tested the efficacy of automatically generated signatures on 1.5 million Android applications collected in 2017, showing significant improvement in detection without generating false positives.

Abstract

Given the high pace at which new malware variants are generated, antivirus programs struggle to keep their signatures up-to-date, and AV scanners suffer from a considerable quantity of false negatives. The generation of effective signatures against new malware variants, while avoiding false positive detections, is a highly desirable but challenging task, typically requiring a substantial portion of human expert’s time. Artificial intelligence techniques can be applied to solve the malware signature generation problem. The ultimate goal is to develop an algorithm able to automatically create a generalized family signature, eventually reducing threat exposure and increasing the quality of the detection. The proposed technique automatically generates an optimal signature to identify a malware family with very high precision and good recall using heuristics, evolutionary and linear programming algorithms. In this talk I will present YaYaGen (Yet Another YARA Rule Generator), a tool to automatically generate Android malware signatures. Performances have been evaluated on a massive dataset of millions of applications available in the Koodous project, showing that in a few minutes the algorithm can generate precise ruleset able to catch 0-day malware, better than human generated ones.
Materials:
Tags:

Post a comment

Related work

Generating YARA Rules by Classifying Malicious Byte Sequences

Conference:  BlackHat USA 2021
Authors:
2021-08-05

Lost in the Loader: The Many Faces of the Windows PE File Format

Conference:  BlackHat USA 2021
Authors:
2021-11-10

Turing in a Box: Applying Artificial Intelligence as a Service to Targeted Phishing and Defending Against AI Generated Attacks

Conference:  BlackHat USA 2021
Authors:
2021-08-05

Scaling and Orchestrating “Good Bot” With Kubernetes

Conference:  KubeCon + CloudNativeCon Europe 2022
Authors: Aris Cahyadi Risdianto
2022-05-19

A Tangled Curl: Attacks on the Curl-P Hash Function Leading to Signature Forgeries in the IOTA Signature Scheme

Conference:  BlackHat USA 2018
Authors:
2018-08-08

A New Trend for the Blue Team - Using a Practical Symbolic Engine to Detect Evasive Forms of Malware/Ransomware

Conference:  Black Hat USA 2022
Authors:
2022-08-10