HAL will be down for maintenance from Friday, June 10 at 4pm through Monday, June 13 at 9am. More information
Skip to Main content Skip to Navigation
Conference papers

About the Robustness and Looseness of Yara Rules

Abstract : The tremendous and fast growth of malware circulating in the wild urges the community of malware analysts to rapidly and effectively share knowledge about the arising threats. Among the other solutions, Yara is establishing as a de facto standard for describing and exchanging Indicators of Compromise (IOCs). Unfortunately, the community of malware analysts did not agree on a set of guidelines for writing Yara rules: a plethora of very different styles for formalizing IOCs can be observed, indeed. Our thesis is that different styles of Yara rule writing could affect the quality of IOCs. With this paper we provide: (i) the definition of two dimensions of Yara rules quality, namely Robustness and Looseness; (ii) a taxonomy for describing the kinds of IOCs that can be formalized with the Yara grammar, and (iii) a suite of metrics for measuring the quality of an IOC. Finally, we carried out a study on 32,311 Yara rules for examining the different existing styles and to investigate the relationship between the writing styles and the quality of IOCs.
Complete list of metadata

https://hal.inria.fr/hal-03239822
Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Thursday, May 27, 2021 - 4:42:52 PM
Last modification on : Thursday, May 27, 2021 - 4:58:38 PM
Long-term archiving on: : Saturday, August 28, 2021 - 7:59:43 PM

File

 Restricted access
To satisfy the distribution rights of the publisher, the document is embargoed until : 2023-01-01

Please log in to resquest access to the document

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

Gerardo Canfora, Mimmo Carapella, Andrea Vecchio, Laura Nardi, Antonio Pirozzi, et al.. About the Robustness and Looseness of Yara Rules. 32th IFIP International Conference on Testing Software and Systems (ICTSS), Dec 2020, Naples, Italy. pp.104-120, ⟨10.1007/978-3-030-64881-7_7⟩. ⟨hal-03239822⟩

Share

Metrics

Record views

26