Assessing the Effectiveness of YARA Rules for Signature-Based Malware Detection and Classification

Abstract

Malware often uses obfuscation techniques or is modified slightly to evade signature detection from antivirus software and malware analysis tools. Traditionally, to determine if a file is malicious and identify what type of malware a sample is, a cryptographic hash of a file is calculated. A more recent and flexible solution for malware detection is YARA, which enables the creation of rules to identify and classify malware based on a file's binary patterns. In this paper, the author will critically evaluate the effectiveness of YARA rules for signature-based detection and classification of malware in comparison to alternative methods, which include cryptographic and fuzzy hashing.