BV TECH is pleased to announce the publication“YAMME: a YAra-byte-signatures Metamorphic Mutation Engine” research paper on volume 18/2023 of the magazine. “IEEE Transactions on Information Forensics and Security”.

The research, carried out by colleagues Antonio Coscia and Antonio Maci with the collaboration of the University of Bari (Giuseppe Pirlo, Vincenzo Dentamaro, Stefano Galantucci), was born under the Program Contract “Cybersecurity product suite and SOC”.

The work proposes an innovative method for the automatic generation of detection rules of possible mutations of malware code already known, obfuscation technique commonly used to overcome security mechanisms based on the analysis of “signature”, extending malicious code detection capabilities to all security applications that use YARA rules.

YARA is a popular malware analysis tool that uses specific rules built to match malicious content within files or network packets analyzed by an antivirus engine. Sometimes these contents are expressed in the form of byte signatures, that is a sequence of operating code at the machine level. However, these can be circumvented because malware obfuscation techniques can modify these sequences, rewriting them into several equivalent forms.

Tuttavia, queste possono essere aggirate poiché le tecniche di offuscamento del malware possono modificare queste sequenze, riscrivendole in diverse forme equivalenti.
First, it rewrites YARA-bye signatures in several equivalent ways, as would a metamorphic mutation engine.
Second, an optimization phase leverages the syntax constructs of YARA rules to provide different formats of rules, making them suitable for different real-world application requirements.
YAMME rules have been evaluated on the MWOR, G2, NGVCK and MetaNG datasets, resulting in a better detection rate than that obtained by AutoYara-generated YARA rules.
In addition, an analysis of the computational overhead required by different YAMME rule formats validates the low impact introduced by the mutation engine at the YARA rule level.