Bridging IDS Signatures and Yara Rules for Malware Detection

Abstract

Malware is becoming the greatest threat to computers and information systems around the globe. Threat actors carry out business frauds or steal personal information from genuine users. More than 1100 million global malware count was reported by renowned AV-Test by the end of year 2020. This includes the addition of 130 million just in 2020 with an alarming increase of 358% as compared to 2019. Malware is designed with the objectives of compromising confidentiality, integrity or availability of data or information systems. Detection of malicious software has been the key objective of both network and host defence solutions. Malware detection software generally referred to as antivirus solutions are now part and parcel of all computing machines. Detection engines have progressed from signatures/pattern matching to anomaly/behavior identification. Due to growing demand for malware detection, a plethora of antivirus software are available, with the majority still identifying threats based on predefined signatures. In 2013, Yara tool was introduced for detection and classification of malware along with a powerful rule language termed as Yara rules. Yara tool works on the mechanism of matching the suspected files or directories with a provided Yara ruleset. It provides a methodology to create the definition/rule for a diverse range of malware families depending upon the textbased signatures or a binary pattern content. Recently, leading antivirus software are rapidly adopting the Yara rules for detection and classification of malware. Since, Yara rules are intended to work on file systems of end user machines within antivirus solutions, inherently they will require both processing and licensing for each network machine. Another, huge challenge for host-based malware detection is to have updated signature repositories on all network devices. Alternate network-based intrusion detection engines (Firewall and IDPS) currently do not support Yara rules and rather accept different rule formats based on rather complex Perl compatible regular expressions. To overcome this challenge, the objective of this research is to bridge the gap and convert the Yara rules into network-based rules. The aforementioned rule conversion will allow management of malware signatures by network administrators, with a dynamic and effective protection at network gateway level. In this research, a novel signature conversion framework is proposed to convert file-based Yara rules into PERL compatible format accepted by signature-based network IDPS and NGN firewalls such as CISCO, FortiGate and Juniper. The aforementioned framework was implemented in Python and the resultant network rules were tested with Snort IDS, resulting in an overall accuracy of 91.86%.