Pattern Matching in YARA: Improved Aho-Corasick Algorithm

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F00216305%3A26230%2F21%3APU140744" target="_blank" >RIV/00216305:26230/21:PU140744 - isvavai.cz</a>

Výsledek na webu

<a href="https://ieeexplore.ieee.org/document/9410267" target="_blank" >https://ieeexplore.ieee.org/document/9410267</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1109/ACCESS.2021.3074801" target="_blank" >10.1109/ACCESS.2021.3074801</a>

Jazyk výsledku

angličtina

Název v původním jazyce

Pattern Matching in YARA: Improved Aho-Corasick Algorithm

Popis výsledku v původním jazyce

YARA is a tool for pattern matching used by malware analysts all over the world. YARA can scan files, as well as process memory. It allows us to define sequences of symbols as text strings, hexadecimal strings, and regular expressions. However, the use of regular expressions is limited because of the concern that it can slow down the scanning process. In this paper, we analyze the true nature of regular expressions in YARA and its implementation. We discovered several reasons regular expressions can, in a fact, slow down scanning based on the nature of the used algorithm, Aho-Corasick. We proposed a new version of this algorithm and we implemented it in the original version of this tool. The experiments are presented, proving the speed of pattern matching with regular expressions can be indeed improved.

Název v anglickém jazyce

Pattern Matching in YARA: Improved Aho-Corasick Algorithm

Popis výsledku anglicky

YARA is a tool for pattern matching used by malware analysts all over the world. YARA can scan files, as well as process memory. It allows us to define sequences of symbols as text strings, hexadecimal strings, and regular expressions. However, the use of regular expressions is limited because of the concern that it can slow down the scanning process. In this paper, we analyze the true nature of regular expressions in YARA and its implementation. We discovered several reasons regular expressions can, in a fact, slow down scanning based on the nature of the used algorithm, Aho-Corasick. We proposed a new version of this algorithm and we implemented it in the original version of this tool. The experiments are presented, proving the speed of pattern matching with regular expressions can be indeed improved.

Druh

J_imp - Článek v periodiku v databázi Web of Science

CEP obor

—

OECD FORD obor

10201 - Computer sciences, information science, bioinformathics (hardware development to be 2.2, social aspect to be 5.8)

Projekt

—

Návaznosti

S - Specificky vyzkum na vysokych skolach

Rok uplatnění

2021

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název periodika

IEEE Access

ISSN

2169-3536

e-ISSN

—

Svazek periodika

9

Číslo periodika v rámci svazku

1

Stát vydavatele periodika

US - Spojené státy americké

Počet stran výsledku

10

Strana od-do

62857-62866

Kód UT WoS článku

000645857100001

EID výsledku v databázi Scopus

2-s2.0-85104574203