YAMME: a YAra-byte-signatures Metamorphic Mutation Engine

Recognition of known malicious patterns through signature-based systems is unsuccessful against malware for which no signature exists to identify them. These include not only zero-day but also software able self-replicate rewriting its own code leaving unaffected execution, namely metamorphic malware. YARA a popular analysis tool that uses the so-called YARA-rules, are built match contents within files or network packets analyzed by an Anti-Virus engine. Sometimes such content expressed in form byte-signature, i.e., sequence operational machine-level code. However, these can be bypassed since obfuscation techniques change sequences, them several equivalent forms. This paper presents YAMME, YARA-byte-signatures Metamorphic Mutation Engine strengthen rules some deployed mutation engines. First, it rewrites YARA-bye-signatures ways, as engine would do. Second, optimization phase exploits YARA-rules syntax constructs provide formats, making suitable different real-world application requirements. YAMME have been evaluated on MWOR, G2, NGVCK, and MetaNG datasets, resulting better detection rate than achieved generated AutoYara. Furthermore, computational overhead required formats validates low impact introduced at level.