Andrea Marcelli (@_S0nn1_)

Twitter

Email

Web

PhD Student

Security Researcher

The signature generation problem

The algorithm

Introducing YaYaGen

Demo

A unique pattern

Syntactic signatures* this is where the most of the existing tools and researches focus on

Semantic signatures

Android malware

Reduce Automate 100% recall Save

“YARA is to files what Snort is to network traffic”

de-facto standard

syntactic signatures

Semantic signatures

rule YaYaSyringe {

meta: author = "DEF CON 26"

strings: $a = “text here” $b = { E2 34 A1 C8 23 FB }

condition: $a and $b and androguard.filter("action.BATTERYCHECK") and androguard.number_of_services == 3 …

}

APK Unsupervised Automatic

Each block is an attribute extracted through the analysis

quality of the analysis

static

dynamic

url: “malware.xxx”

permission: “ACCESS_FINE_LOCATION”

Sample 1 Sample 2

=

Signature

Sample 1 Sample 2 Sample 3 Sample 4 Sample 5 Sample 6

Sample 7 Sample 8 Sample 9 Sample 10 Sample 11 Sample 12

dynamic greedy algorithm

+ + + +

clause literal

DNF

clause weighed

is the lowest

weighting system

higher the weight, the less FP

lower the weight, the more FP

TMIN TMAX

over-specific

Basic optimizer

Evo optimizer

TMAX

Raw Optimized

From

application analysis reports

YARA rules

to

2 algorithms 2 optimizers heuristics

YARA rule parser

FP exclusion

Koodous

Rule Name Original YaYaGen Improvement

1,004 +86.3%

315 +43.2%

257 +89.0%

652 +16.6%

172 +8.2%

430 +131.2%

perform better 100 apps is less 5 minutes