About the Robustness and Looseness of Yara Rules

摘要

The tremendous and fast growth of malware circulating in the wild urges the community of malware analysts to rapidly and effectively share knowledge about the arising threats. Among the other solutions, Yara is establishing as a de facto standard for describing and exchanging Indicators of Compromise (IOCs). Unfortunately, the community of malware analysts did not agree on a set of guidelines for writing Yara rules: a plethora of very different styles for formalizing IOCs can be observed, indeed. Our thesis is that different styles of Yara rule writing could affect the quality of IOCs. With this paper we provide: (i) the definition of two dimensions of Yara rules quality, namely Robustness and Looseness; (ii) a taxonomy for describing the kinds of IOCs that can be formalized with the Yara grammar, and (iii) a suite of metrics for measuring the quality of an IOC. Finally, we carried out a study on 32,311 Yara rules for examining the different existing styles and to investigate the relationship between the writing styles and the quality of IOCs.