Malware Detection on Local Network based on Honeypot and Yara

Nur Rohman Rosyid, Budi Bayu Murti, Brama Prayudha, Arul Ferian Ramadloni, Lukman Subekti


The malware threats have never subsided, even the trend shows an increase and varies along with the development of hardware and software technology. End user may not realize if their machine is compromised by malware. It could be the anti-malware mechanism is not working properly, such as the anti-virus is not updated or there is a zero-day attack. Therefore, it is necessary to detect the presence of malware on  end-systems devices or  the existence of zero-day attack in the local network. Implementation of honeypot as a security sensor that collects malware attack data in the form of malware files and malware hashes can be used as signatures for scanning and detecting malware. This research utilizes a honeypot as a security sensor to catching malware. The malware hash from the honeypot is used to scanning and detecting the presence of malware on the end-system in a local network such as a PC or server. Furthermore, Yara helps clarify the type of malware found by scanning suspected files. The results of scanning and detecting of malware by Yara will be reported to the appropriate authorities via Telegram application channles. This research contributes by providing early warning of potential security threats to the network and collecting hash code of recently malware attacking to the network.

Keywords: Honeypot, Malware, Yara, Proactive Security.

Full Text:



O. R. M. B. L. L. M. Christos D, “Main incidents in the EU and worldwide ENISA Threat Landscape,” Greece, Apr. 2020.

A. Vetterl and R. Clayton, “Honware: A Virtual Honeypot Framework for Capturing CPE and IoT Zero Days,” in eCrime Researchers Summit, eCrime, 2019, vol. 2019-November. doi: 10.1109/eCrime47957.2019.9037501.

A. Tambe et al., “Detection of threats to IoT devices using scalable VPN-forwarded honeypots,” in CODASPY 2019 - Proceedings of the 9th ACM Conference on Data and Application Security and Privacy, 2019. doi: 10.1145/3292006.3300024.

G. H. P. Wibawa, I. G. M. A. Sasmita, and I. M. S. Raharja, “Analisis Data Log Honeypot Menggunakan Metode K-Means Clustering,” Jurnal Ilmiah Merpati (Menara Penelitian Akademika Teknologi Informasi), 2020, doi: 10.24843/jim.2020.v08.i01.p02.

N. Naik, P. Jenkins, N. Savage, L. Yang, K. Naik, and J. Song, “Augmented YARA Rules Fused with Fuzzy Hashing in Ransomware Triaging,” in 2019 IEEE Symposium Series on Computational Intelligence, SSCI 2019, 2019. doi: 10.1109/SSCI44817.2019.9002773.

P. Arntz, “Explained: YARA rules,”, 2020.

M. Brengel and C. Rossow, “YARIX: Scalable YARA-based malware intelligence,” in Proceedings of the 30th USENIX Security Symposium, 2021.

D. Regeciova, D. Kolar, and M. Milkovic, “Pattern Matching in YARA: Improved Aho-Corasick Algorithm,” IEEE Access, vol. 9, 2021, doi: 10.1109/ACCESS.2021.3074801.

C. Culling, “Which YARA Rules Rule: Basic or Advanced?,” GIAC (GCIA) Gold Certification and RES 5500, 2018.

J. Bao, C. P. Ji, and G. Mo, “Research on network security of defense based on honeypot,” in ICCASM 2010 - 2010 International Conference on Computer Application and System Modeling, Proceedings, 2010, vol. 10. doi: 10.1109/ICCASM.2010.5622780.

S. Lee, A. Abdullah, N. Jhanjhi, and S. Kok, “Classification of botnet attacks in IoT smart factory using honeypot combined with machine learning,” PeerJ Comput Sci, vol. 7, 2021, doi: 10.7717/PEERJ-CS.350.

L. Seungjin, A. Abdullah, and N. Z. Jhanjhi, “A review on honeypot-based botnet detection models for smart factory,” International Journal of Advanced Computer Science and Applications, vol. 11, no. 6, 2020, doi: 10.14569/IJACSA.2020.0110654.

K. Chawda and A. D. Patel, “Dynamic & hybrid honeypot model for scalable network monitoring,” in 2014 International Conference on Information Communication and Embedded Systems, ICICES 2014, 2015. doi: 10.1109/ICICES.2014.7033844.

P. Black, I. Gondal, A. Bagirov, and M. Moniruzzaman, “Malware Variant Identification Using Incremental Clustering,” Electronics (Basel), vol. 10, no. 14, 2021, doi: 10.3390/electronics10141628.

N. Naik, P. Jenkins, N. Savage, L. Yang, K. Naik, and J. Song, “Embedding Fuzzy Rules with YARA Rules for Performance Optimisation of Malware Analysis,” in IEEE International Conference on Fuzzy Systems, 2020, vol. 2020-July. doi: 10.1109/FUZZ48607.2020.9177856.

N. Naik, P. Jenkins, R. Cooke, J. Gillett, and Y. Jin, “Evaluating Automatically Generated YARA Rules and Enhancing Their Effectiveness,” in 2020 IEEE Symposium Series on Computational Intelligence, SSCI 2020, 2020. doi: 10.1109/SSCI47803.2020.9308179.

N. R. Rosyid, M. Ohrui, H. Kikuchi, P. Sooraksa, and M. Terada, “A discovery of sequential attack patterns of malware in botnets,” in Conference Proceedings - IEEE International Conference on Systems, Man and Cybernetics, 2010. doi: 10.1109/ICSMC.2010.5641914.


Article Metrics

Abstract view : 641 times
PDF - 193 times


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.