Stylometric Analysis Reveals Identifiable Signatures in Anonymous YARA Rules

arXiv CS · · 3 min read · Engineering & Technology

Read research and analysis on Stylometric Analysis Reveals Identifiable Signatures in Anonymous YARA Rules published by ICANEWS, a global research journal for emerging researchers.

Key Takeaways

  • Repository origin of YARA rules can be recovered with up to 99% accuracy.
  • Individual authors of YARA rules can be re-identified with 76% accuracy, well above chance.
  • Malware family classification based on YARA rules achieves 95% accuracy.
  • Evidence of temporal drift in repository fingerprints was observed, with a 9-18% accuracy gap between full-history and time-restricted datasets.
  • Authors can be re-identified for five of seven tested families (mean 74.6% accuracy) even when malware family is the same.

Why This Matters

This study is the initial systematic demonstration that YARA rule sharing exposes a measurable OPSEC attack surface. It indicates that the removal of metadata alone is not sufficient to anonymize contributing organizations or individual authors participating in threat intelligence exchanges.

Overview

This study investigates the extent to which identifying characteristics can be inferred from YARA rule text alone, even after metadata such as author fields have been removed. The practice of sharing YARA rules across threat intelligence communities for collective malware defense implicitly relies on the assumption that metadata removal sufficiently anonymizes the contributing organizations. This research challenges that assumption through a systematic evaluation using stylometric fingerprinting.

Research Context

YARA rules are a common mechanism for identifying malware patterns and are frequently exchanged among threat intelligence communities. The removal of explicit metadata associated with these rules is often presumed to protect the identity of the contributors. The underlying question addressed by this research is whether this metadata removal is genuinely effective in achieving anonymity for the rule creators and their originating repositories.

Approach

A corpus comprising 23,305 YARA rules, gathered from three prominent public repositories, was assembled for this investigation. The researchers systematically evaluated the inferability of four distinct stylometric fingerprint dimensions: individual author, source repository, malware family, and temporal drift. This evaluation was conducted using three complementary analytical methods:

  • Lexical n-grams (utilizing Burrows’ Delta)
  • Syntactic Abstract Syntax Tree (AST) features (based on Caliskan-Islam's approach)
  • Fine-tuned CodeBERT model

To further differentiate between content-specific attributes and stylistic elements, experiments were also conducted to perform author attribution within the same malware family. This involved analyzing samples belonging to a single malware family and attempting to re-identify their authors.

Findings

The systematic evaluation demonstrated that significant identifying information can be inferred from YARA rule text. Key findings include:

  • Repository Origin Attribution

    The origin repository of YARA rules was recoverable with an accuracy of up to 99%. This indicates a high degree of distinctiveness in how different repositories contribute rules, even without explicit metadata.

  • Individual Author Re-identification

    Individual authors could be re-identified with an accuracy of 76%, which is substantially above random chance. This suggests that authors exhibit persistent stylistic traits within their rule creations.

  • Malware Family Classification

    Classification of YARA rules by their associated malware family achieved an accuracy of 95%. This finding is separate from attribution of origin or author but confirms strong links between rule characteristics and the malware they target.

  • Temporal Drift Evidence

    A comparison of repository attribution tasks between full-history datasets and time-restricted subsets revealed an accuracy gap ranging from 9% to 18%. This difference provides preliminary evidence suggesting temporal drift in the stylistic fingerprints associated with repositories over time.

  • Per-Malware Family Author Attribution

    Experiments designed to disentangle content from style showed that even when the malware family was held constant across all considered samples, authors could still be re-identified. This was observed across five out of seven tested malware families, with a mean accuracy of 74.6%. This indicates that authorial style persists even when the technical subject matter (malware family) is the same.

Why This Matters

These findings represent the first systematic demonstration that the sharing of YARA rules, despite metadata removal, constitutes a measurable Operational Security (OPSEC) attack surface. The research indicates that the practice of simply removing metadata is insufficient to mitigate the risk of re-identification for contributing organizations or individual authors.

Research Information

Institution
arXiv CS
Original Study
View Publication
Source
arXiv CS

About ICANEWS

ICANEWS is a global research journal for emerging researchers, publishing student and emerging researcher work across all fields.