Introduce Scoring and fuzzy decision making to the ruleset #45
Comments
|
I have very bad experience with "adding points for found anomalies". When I used it large files with lots of non-spectacular anomalies resulted in a sum exceeding the threshold. Just for doing many things. To fight False Positives, we had to reduce the points for the single rules. Resulting in lots of 0-point rules. Other measures (points per kilobyte of file) also had effects that could not be controlled. and my project was not the only one. Rules that do instant-kill are better. |
|
I agree. For a long time we have been pondering how to implement and structure a good, powerful and flexible ruleset. After we talked at the workshop and developers meeting I tend to discard the scoring idea. Also because I think #37 and the suggestion by @michaelweiser to being able to have logic in between rules I like that idea more. |
|
AFAIK we had some "meta signatures" in Cuckoo: Signatures triggering if certain other signatures have triggered. I do not know if they still exist and are functioning properly. Also: If you extend the system beyond Cuckoo and add other classificators external meta signatures might be smarter.... |
|
#96 gives us enough power and flexibility to make good decisions |
Currently our decisions on malware are binary and the ruleset terminates on the first positive decision (i.e. malware detected). Changing this to an accumulated score allows for fuzzy decisions and therefore greater flexibility in configuration and thresholds what is considered malware.
This could be implemented in the current ruleset engine or paired with a switch to a different implementation, e.g. YARA or a Custom Signature in Cuckoo.
Suggested by @Jack28.
The text was updated successfully, but these errors were encountered: