Loading [MathJax]/extensions/MathMenu.js
Pattern Matching in YARA: Improved Aho-Corasick Algorithm | IEEE Journals & Magazine | IEEE Xplore

Pattern Matching in YARA: Improved Aho-Corasick Algorithm


We proposed an improved version of the Aho-Corasick algorithm that enables faster and more extended use of regular expressions in YARA, a well-known tool for malware dete...

Abstract:

YARA is a tool for pattern matching used by malware analysts all over the world. YARA can scan files, as well as process memory. It allows us to define sequences of symbo...Show More

Abstract:

YARA is a tool for pattern matching used by malware analysts all over the world. YARA can scan files, as well as process memory. It allows us to define sequences of symbols as text strings, hexadecimal strings and regular expressions. However, the use of regular expressions is limited because of the concern that it can slow down the scanning process. In this paper, we analyze the true nature of regular expressions in YARA and their implementation. We have, in fact, discovered several reasons why regular expressions can slow down scanning based on the nature of the used algorithm, Aho-Corasick. We have proposed a new version of this algorithm and have implemented it in the original version of this tool. The experiments are presented, proving that the speed of pattern matching with regular expressions can indeed be improved. In selected cases, the proposed version was about 27% faster than the original version. And in instances where strings were optimized for the original version, their speed was found to be comparable.
We proposed an improved version of the Aho-Corasick algorithm that enables faster and more extended use of regular expressions in YARA, a well-known tool for malware dete...
Published in: IEEE Access ( Volume: 9)
Page(s): 62857 - 62866
Date of Publication: 21 April 2021
Electronic ISSN: 2169-3536

Funding Agency:


References

References is not available for this document.