In an era of rapidly evolving cyber threats, the ability to accurately detect and classify malicious software has become a critical component of modern cybersecurity operations. YARA, a rule-based pattern matching tool, has established itself as a fundamental asset in malware analysis, threat hunting, and incident response workflows. Notably, YARA rules are authored by experienced security professionals, making them a reliable and valuable source of intelligence for training machine learning models. These rules are continuously updated or newly generated as emerging malware strains are discovered, ensuring they remain aligned with the evolving threat landscape. This work proposes a dynamic integration of established malware datasets, such as EMBER, with information automatically extracted from YARA rules to enhance malware detection strategies using machine learning algorithms. The study further investigates how the conditions embedded within YARA rules can be strategically leveraged to generate enriched datasets, dynamically producing additional entries sourced from public platforms like GitHub repositories. Additionally, when malware family identifiers are explicitly mentioned within YARA rules, these labels are extracted and incorporated into classification models, providing critical context for supervised learning processes. All these processes are orchestrated within a fully automated pipeline, enabling continuous, intelligent data enrichment. By harvesting essential detection features such as unique signatures, string patterns, and logical conditions, this methodology aims to enhance malware detection capabilities and strengthen proactive cybersecurity defences.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

A ML-Driven Pipeline for Automated YARA Rule Extraction and Malware Detection

  • Souhayla Touk,
  • Saad El Jaouhari,
  • Maurras Togbe

摘要

In an era of rapidly evolving cyber threats, the ability to accurately detect and classify malicious software has become a critical component of modern cybersecurity operations. YARA, a rule-based pattern matching tool, has established itself as a fundamental asset in malware analysis, threat hunting, and incident response workflows. Notably, YARA rules are authored by experienced security professionals, making them a reliable and valuable source of intelligence for training machine learning models. These rules are continuously updated or newly generated as emerging malware strains are discovered, ensuring they remain aligned with the evolving threat landscape. This work proposes a dynamic integration of established malware datasets, such as EMBER, with information automatically extracted from YARA rules to enhance malware detection strategies using machine learning algorithms. The study further investigates how the conditions embedded within YARA rules can be strategically leveraged to generate enriched datasets, dynamically producing additional entries sourced from public platforms like GitHub repositories. Additionally, when malware family identifiers are explicitly mentioned within YARA rules, these labels are extracted and incorporated into classification models, providing critical context for supervised learning processes. All these processes are orchestrated within a fully automated pipeline, enabling continuous, intelligent data enrichment. By harvesting essential detection features such as unique signatures, string patterns, and logical conditions, this methodology aims to enhance malware detection capabilities and strengthen proactive cybersecurity defences.