Abstract
With the explosive growth of malware and its variants, automated malware detection is a hot topic in security. In this paper, we propose a malware detection method based on automated Yara rule generation on dynamic behaviors, mainly aiming to improve malware detection in terms of automation and effectiveness. Firstly, we extract the API call sequences as features from dynamic behaviors obtained in the sandbox. Secondly, we focus on the impact of runtime parameters containing significant semantic information in API calls on maliciousness discrimination. Then, we leverage random forest and logistic regression algorithms in YaraML to calculate weights for features extracted from API calls and runtime parameters and output a set of Yara rules. Finally, we use these Yara rules to perform malware detection. We conduct a set of experiments on a dataset of malicious samples and benign samples. The experimental results show that our method is effective in terms of accuracy and precision upon malware detection.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Sonicwall2022-cyber-threat-report. https://www.sonicwall.com/2022-cyber-threat-report
Ahmed, F., Hameed, H., Shafiq, M.Z., Farooq, M.: Using spatio-temporal information in API calls with machine learning algorithms for malware detection. In: The 2nd ACM Workshop on Security and Artificial Intelligence, pp. 55–62 (2009)
Alvarez, V.M.: yara documentation4.2.0 (2022)
Ashraf, A., Aziz, A., Zahoora, U., Rajarajan, M., Khan, A.: Ransomware analysis using feature engineering and deep neural networks. arXiv preprint arXiv:1910.00286 (2019)
Brengel, M., Rossow, C.: \(\{\)YARIX\(\}\): Scalable \(\{\)YARA-based\(\}\) malware intelligence. In: 30th USENIX Security Symposium, pp. 3541–3558 (2021)
Clark, C.: Yaragenerator. XenoSec (2013)
Eskandari, M., Khorshidpur, Z., Hashemi, S.: To incorporate sequential dynamic features in malware detection engines. In: 2012 European Intelligence and Security Informatics Conference, pp. 46–52. IEEE (2012)
Gupta, S., Kumar, P.: An immediate system call sequence based approach for detecting malicious program executions in cloud environment. Wireless Pers. Commun. 81(1), 405–425 (2015)
InQuest: awesome-yara (2016). https://github.com/InQuest/awesome-yara
Jaramillo, L.E.S.: Detecting malware capabilities with Foss: lessons learned through a real-life incident. In: 2018 13th Iberian Conference on Information Systems and Technologies (CISTI), pp. 1–6. IEEE (2018)
Naik, N., Jenkins, P., Cooke, R., Gillett, J., Jin, Y.: Evaluating automatically generated yara rules and enhancing their effectiveness. In: 2020 IEEE Symposium Series on Computational Intelligence (SSCI), pp. 1146–1153. IEEE (2020)
Park, Y., Reeves, D., Mulukutla, V., Sundaravel, B.: Fast malware classification by automated behavioral graph matching. In: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research, pp. 1–4 (2010)
Qiao, Y., Yang, Y., Ji, L., He, J.: Analyzing malware by abstracting the frequent itemsets in api call sequences. In: 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, pp. 265–270. IEEE (2013)
Raff, E., Zak, R., et al.: Automatic Yara rule generation using biclustering. In: The 13th ACM Workshop on Artificial Intelligence and Security, pp. 71–82 (2020)
Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and classification of malware behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108–125. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70542-0_6
Saxe, J., Mentis, D., Greamo, C.: Visualization of shared system call sequence relationships in large malware corpora. In: Proceedings of the Ninth International Symposium on Visualization for Cyber Security, pp. 33–40 (2012)
Saxe, J.: Yaraml (2020). https://github.com/sophos-ai/yaraml_rules/
Schultz, M.G., Eskin, E., Zadok, F., Stolfo, S.J.: Data mining methods for detection of new malicious executables. In: Proceedings 2001 IEEE Symposium on Security and Privacy. S &P 2001, pp. 38–49. IEEE (2000)
Tandon, G., Chan, P.K.: Learning useful system call attributes for anomaly detection. In: FLAIRS Conference, pp. 405–411 (2005)
Varghese, S.M., Jacob, K.P.: Anomaly detection using system call sequence sets. J. Softw. 2(6), 14–21 (2007)
Ye, Y., Li, T., Adjeroh, D., Iyengar, S.S.: A survey on malware detection using data mining techniques. ACM Comput. Surv. (CSUR) 50(3), 1–40 (2017)
Ye, Y., Wang, D., Li, T., Ye, D.: IMDS: intelligent malware detection system. In: Proceedings of the 13th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1043–1047 (2007)
Zhang, X., et al.: Enhancing state-of-the-art classifiers with API semantics to detect evolved android malware. In: The 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 757–770 (2020)
Acknowledgements
This work is supported by the National Natural Science Foundation of China (Grant No. 62072453, 61972392), Youth Innovation Promotion Association of the Chinese Academy of Sciences (No. 2020164).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Si, Q. et al. (2022). Malware Detection Using Automated Generation of Yara Rules on Dynamic Features. In: Su, C., Sakurai, K., Liu, F. (eds) Science of Cyber Security. SciSec 2022. Lecture Notes in Computer Science, vol 13580. Springer, Cham. https://doi.org/10.1007/978-3-031-17551-0_21
Download citation
DOI: https://doi.org/10.1007/978-3-031-17551-0_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17550-3
Online ISBN: 978-3-031-17551-0
eBook Packages: Computer ScienceComputer Science (R0)