Homomorphic encrypted Yara rules evaluation

Abstract

Malware signatures represent a powerful tool for malware detection and classification, widely used by security researchers and security solution providers. Yara rules describe malware based on string patterns that are evaluated on targeted files. Generally, the security provider sends signatures to the client endpoints and the rule evaluation is performed locally, such that the scanned files do not leave the client machines. However, if a zero-day vulnerability is discovered and the security provider exposes the corresponding signature, there is a considerable risk to also disclose the unpatched vulnerability. A solution is represented by homomorphic encrypted Yara rules, which can be evaluated on targeted files without being decrypted. In this article, we propose a homomorphic Yara rules evaluation method and do a comparative analysis with the HENFA method (Homomorphic Encryption for Finite Automata (Genise et al., 2019)). For our method, we propose a fully homomorphic exact string matching algorithm based on the TFHE scheme (Fully Homomorphic Encryption over the Torus (Chillotti et al., 2020)). In order to determine how suitable is the exact string matching approach in practice, we analyze a public Yara rules repository and generate various statistics about the patterns used in the Yara rules. For the two homomorphic Yara rules matching methods, both theoretical and experimental comparative evaluations are presented. Our proposed method implies ciphertexts with smaller sizes and has better efficiency in the average testing scenarios compared to the HENFA method.