Hi Ryan, I found your message a bit confusing. You started talking about malware (samples), then you mentioned you created a web app to detect malicious URLs. And then you say you’re lost, but what exactly are you targeting? I don’t think Yara is that binary. Some thoughts:
* The sensitivity of a Yara rule can be lowered to simulate what a fuzzy approach would be. For example, instead of “all of them” you can have conditions like “2 of them” or “any of them”. So, a system may have different rulesets more or less aggressive, depending on what you want. * AFAIK Virus Total API is limited to 4 requests per minute if you are not paid user. This can create a bottleneck in your system. Actually, why do you need Virus Total in this case? * Yara has support for ssdeep, which is a fuzzy hash algorithm. Also, it can be extended to include TLSH [2] and telfhash [3] for instance. Or any other fuzzy, or locally sensitive hash you want. You just have to create a module and that would be a great contribution to Yara. 😊 Hope that helps and sorry if I didn’t really answer your question. [1] https://ssdeep-project.github.io/ssdeep/index.html [2] https://github.com/trendmicro/tlsh [3] https://github.com/trendmicro/telfhash Thanks, Fernando From: yara-project@googlegroups.com <yara-project@googlegroups.com> on behalf of Ryan Choy <ryan.choyjia...@gmail.com> Date: Monday, 15 February 2021 21:15 To: YARA <yara-project@googlegroups.com> Subject: Malware Detection using Fuzzy Yara Rules I am currently doing a dissertation/project and below is the description of the project Yara rules are one of the most popular and widely used methods for malware detection. Yara rules basically describe patterns that identify particular strains or entire families of malware. Its success or failure is dependent on the quality of rules employed for malware triaging. Yara rules define everything in binary logic, either true or false, which may lead to inaccuracy in malware detection. Fuzzy inference systems use fuzzy rules to reason, where fuzzy rules extend the traditional binary logic to infinite valued logic, which therefore can be used to address the drawbacks of Yara rules. This project aims to develop a prototype fuzzy Yara rule system for malware detection using publicly available datasets. (python) What i did so far is creating a web application built using django to detect malicious URL(s) which include phishing/social engineering/malware infected URL(s) (I could just focus on maybe ransomeware) as I have only done the web user interface only and for the malware database I planned to get from github and will be using VirusTotal API. I am really lost right now :( Anyone could just guide me just the brief of what to do will be good enough as the implementation is the hardest for me -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com<mailto:yara-project+unsubscr...@googlegroups.com>. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/77a039e6-e5b8-4085-b5e2-360c94f0033an%40googlegroups.com<https://groups.google.com/d/msgid/yara-project/77a039e6-e5b8-4085-b5e2-360c94f0033an%40googlegroups.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "YARA" group. To unsubscribe from this group and stop receiving emails from it, send an email to yara-project+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/yara-project/DM6PR10MB3900FD30A44DC0BAC8D11A6AA6859%40DM6PR10MB3900.namprd10.prod.outlook.com.
