A YARA-based approach for detecting cyber security attack types

Öz

Technological advancements have recently propelled individuals, institutions, and organizations to conduct their business processes on information systems. However, keeping personal and corporate data on information systems has given rise to issues related to data security. The accessibility of data on information systems has made it vulnerable to theft and exploitation by malicious groups or individuals, thus posing a significant risk to data security. Consequently, the demand for data security has led to a new business sector offering various cybersecurity solutions to protect organizations' systems. This paper presents an analysis of the prevalent types of cyber attacks worldwide. The study aims to create a virtual environment with Windows and Linux systems in Forensic Informatics and Incident Response processes to apply frequently used cyber attack methods, develop defense mechanisms against these methods, and contribute to revealing the root cause by solving the incident pattern. Furthermore, this application demonstrates how manual techniques and open-source solutions, such as YARA, can be used to detect malware derivatives commonly found in Windows systems.

Anahtar Kelimeler

• YARA
• Malware
• Digital forensics
• Cyber attack

Kaynakça

1. [1] Abomhara M, Køien GM. "Cyber security and the internet of things: vulnerabilities, threats, intruders and attacks". Journal of Cyber Security and Mobility, 65–88, 2015.
2. [2] Eggers S. "A novel approach for analyzing the nuclear supply chain cyber-attack surface". Nuclear Engineering and Technology, 53(3), 879-887, 2021.
3. [3] Freilin FC, Holz T Wicherski G. "Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks". Computer Security–ESORICS 2005: 10th European Symposium on Research in Computer Security, Milan, Italy, September 12-14, 2005. Proceedings 10, 2005: Springer, 319-335.
4. [4] Auty M. "Anatomy of an advanced persistent threat". Network Security, 4, 13-16, 2015.
5. [5] Ahmad A, Webb J, Desouza KC, Boorman J. "Strategically-motivated advanced persistent threat: Definition, process, tactics and a disinformation model of counterattack". Computers & Security, 86, 402-418, 2019.
6. [6] Schneier B. "The future of incident response". IEEE Security & Privacy, 12(5), 96-96, 2014.
7. [7] Bhatt P, Yano ET, Gustavsson P. "Towards a framework to detect multi-stage advanced persistent threats attacks". in 2014 IEEE 8th international symposium on service oriented system engineering, IEEE, 390-395, 2014.
8. [8] Itodo C, Varlioglu S, Elsayed N. "Digital forensics and incident response (DFIR) challenges in IoT platforms". 4th International Conference on Information and Computer Technologies (ICICT), IEEE, 199-203, 2021.

9. [9] Johansen G. Digital forensics and incident response. Packt Publishing Ltd, 2017.
10. [10] Kim S, Kim J, S, Kim D. "WebMon: ML-and YARA-based malicious webpage detection". Computer Networks, 137, 119-131, 2018.
11. [11] Kumar MS, Ben-Othman J, Srinivasagan K. "An investigation on wannacry ransomware and its detection". in 2018 IEEE Symposium on Computers and Communications (ISCC), IEEE,1-6, 2018.
12. [12] Rosyid NR, Murti BB, Prayudha B, Ramadloni AF, Subekti L. "Malware Detection on local network based on honeypot and Yara". Sistemasi: Jurnal Sistem Informasi, 12(1), 186-193, 2023.
13. [13] Siddabathula KS, Panneerselvam RK, Vasana V, Vejendla J, Rafi M, Gummadi SB. "YaraCapper–YARA rule-based automated system to detect and alert network attacks". in Research Advances in Network Technologies: CRC Press, 25-47.
14. [14] Si Q. et al., "Malware detection using automated generation of yara rules on dynamic features". in Science of Cyber Security: 4th International Conference, SciSec 2022,Matsue, Japan, August 10–12, 2022, Revised Selected Papers, Springer, 315-330, 2022.
15. [15] Naik N, Jenkins P, Savage N, Yang L, Naik K, Song J. "Embedding fuzzy rules with YARA rules for performance optimisation of malware analysis". in 2020 IEEE International Conference on Fuzzy Systems (FUZZ-IEEE), IEEE, 1-7, 2022.
16. [16] Khalid M, Ismail M, Hussain M, Durad MH. "Automatic yara rule generation". in 2020 International Conference on Cyber Warfare and Security (ICCWS), IEEE, 1-5, 2020.
17. [17] Xu L, Qiao M. "Yara rule enhancement using Bert-based strings language model". in 2022 5th International Conference on Advanced Electronic Materials, Computers and Software Engineering (AEMCSE), IEEE, 221-224, 2022.
18. [18] Naik N. et al., "Embedded YARA rules: strengthening YARA rules utilising fuzzy hashing and fuzzy rules for malware analysis". Complex & Intelligent Systems, 7, 687-702, 2021.
19. [19] Naik N, Jenkins P, Cooke R, Gillet J, Jin Y. "Evaluating automatically generated YARA rules and enhancing their effectiveness," in 2020 IEEE Symposium Series on Computational Intelligence (SSCI), IEEE, 1146-1153, 2020.
20. [20] Raff E. et al., "Automatic YARA rule generation using biclustering". in Proceedings of the 13th ACM Workshop on Artificial Intelligence and Security, 71-82, 2020.
21. [21] Bilstein D, Plohmann D. "YARA-signator: automated generation of code-based YARA rules". J. Cybercrime Digit. Invest., 5(1), 1-13, 2019.
22. [22] Nguyen NH, Le VH, Phung VO, Du PH. "Toward a deep learning approach for detecting php webshell". in Proceedings of the 10th International Symposium on Information and Communication Technology, 514-521, 2019.
23. [23] Yusof AR, Udzir NI, Selamat A. "Systematic literature review and taxonomy for DDoS attack detection and prediction". International Journal of Digital Enterprise Technology, 1(3), 292-315, 2019.
24. [24] Yin D, Zhang L, Yang K. "A DDoS attack detection and mitigation with software-defined Internet of Things framework". IEEE Access, 6, 24694-24705, 2018.
25. [25] Joshi B, Vijayan AS, Joshi BK. "Securing cloud computing environment against DDoS attacks". in 2012 International Conference on Computer Communication and Informatics, IEEE, 1-5, 2012.
26. [26] Chiew KL, Yong KSC, Tan CL. "A survey of phishing attacks: Their types, vectors and technical approaches". Expert Systems with Applications, 106, 1-20, 2018.
27. [27] Tandale KD, Pawar SN. "Different types of phishing attacks and detection techniques: A review". in 2020 International Conference on Smart Innovations in Design, Environment, Management, Planning and Computing (ICSIDEMPC), IEEE, 295-299, 2020.
28. [28] Le Page S, Jourdan GV, Bochmann GV, J Flood, Onut IV. "Using url shorteners to compare phishing and malware attacks". in 2018 APWG Symposium on Electronic Crime Research (eCrime), IEEE, 1-13, 2018.
29. [29] Pirscoveanu RS, Hansen SS, Larsen TM, Stevanovic M, Pedersen JM, Czech A. "Analysis of malware behavior: Type classification using machine learning." in 2015 International conference on cyber situational awareness, data analytics and assessment (CyberSA), IEEE, 1-7, 2015.
30. [30] Blaise A, Bouet M, Conan V, Secci S. "Detection of zero-day attacks: An unsupervised port-based approach". Computer Networks, 180, 107391, 2020.
31. [31] Kim JY, Bu SJ, Cho SB. "Zero-day malware detection using transferred generative adversarial networks based on deep autoencoders". Information Sciences, 460, 83-102, 2018.
32. [32] Conti M, Dragoni N, Lesyk V. "A survey of man in the middle attacks". IEEE communications surveys & tutorials, 18(3), 2027-2051, 2016.
33. [33] Tommasi F, Catalano C, Taurino I. "Browser-in-the-Middle (BitM) attack". International Journal of Information Security, 21(2), 179-189, 2022.
34. [34] Alberto O, Marco V. "Man in the middle attacks". in Blackhat Conference Europe, 2003.
35. [35] Lee J, Lee S. "A study on unknown malware detection using digital forensic techniques". Journal of The Korea Institute of Information Security & Cryptology, 24(1), 107-122, 2014.
36. [36] Bazrafshan Z, Hashemi H, Fard SMH, Hamzeh A. "A survey on heuristic malware detection techniques". in The 5th Conference on Information and Knowledge Technology, IEEE, pp. 113-120, 2015.
37. [37] Duby A, Taylor T, Zhuang Y. "Malware family classification via residual prefetch artifacts" .in 2022 IEEE 19th Annual Consumer Communications & Networking Conference (CCNC), IEEE, 256-259, 2022.
38. [38] Naik N. et al., "Fuzzy hashing aided enhanced YARA rules for malware triaging". in 2020 IEEE Symposium Series on Computational Intelligence (SSCI), IEEE, 1138-1145, 2020.
39. [39] Culling C. "Which YARA rules rule: basic or advanced?". GIAC (GCIA) Gold Certification and RES, 5500, 2018.