Automatic Yara Rule Generation Using Biclustering

TL;DR

AutoYara automates the generation of Yara rules using biclustering and large n-grams, significantly reducing analyst workload and matching or surpassing human performance in malware detection accuracy.

Contribution

The paper introduces AutoYara, a novel biclustering-based method for automatic Yara rule generation that is fast, resource-efficient, and improves detection effectiveness.

Findings

AutoYara reduces analyst rule creation time by 44-86%.

AutoYara maintains low false-positive rates while achieving high true-positive rates.

AutoYara can outperform human analysts in certain detection scenarios.

Abstract

Yara rules are a ubiquitous tool among cybersecurity practitioners and analysts. Developing high-quality Yara rules to detect a malware family of interest can be labor- and time-intensive, even for expert users. Few tools exist and relatively little work has been done on how to automate the generation of Yara rules for specific families. In this paper, we leverage large n-grams ($n \geq 8$) combined with a new biclustering algorithm to construct simple Yara rules more effectively than currently available software. Our method, AutoYara, is fast, allowing for deployment on low-resource equipment for teams that deploy to remote networks. Our results demonstrate that AutoYara can help reduce analyst workload by producing rules with useful true-positive rates while maintaining low false-positive rates, sometimes matching or even outperforming human analysts. In addition, real-world testing by malware analysts indicates AutoYara could reduce analyst time spent constructing Yara rules by 44-86%, allowing them to spend their time on the more advanced malware that current tools can't handle. Code will be made available at https://github.com/NeuromorphicComputationResearchProgram .