Detail výsledku
Pattern Matching in YARA: Improved Aho-Corasick Algorithm
YARA is a tool for pattern matching used by malware analysts all over the world. YARA can scan files, as well as process memory. It allows us to define sequences of symbols as text strings, hexadecimal strings, and regular expressions. However, the use of regular expressions is limited because of the concern that it can slow down the scanning process.
In this paper, we analyze the true nature of regular expressions in YARA and its implementation.
We discovered several reasons regular expressions can, in a fact, slow down scanning based on the nature of the used algorithm, Aho-Corasick. We proposed a new version of this algorithm and we implemented it in the original version of this tool.
The experiments are presented, proving the speed of pattern matching with regular expressions can be indeed improved.
Aho-Corasick algorithm, pattern matching, regular expressions, YARA
@article{BUT171395,
author="Dominika {Regéciová} and Dušan {Kolář} and Marek {Milkovič}",
title="Pattern Matching in YARA: Improved Aho-Corasick Algorithm",
journal="IEEE Access",
year="2021",
volume="9",
number="1",
pages="62857--62866",
doi="10.1109/ACCESS.2021.3074801",
issn="2169-3536",
url="https://ieeexplore.ieee.org/document/9410267"
}