Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
..
Failed to load latest commit information.
images
test
README.md
impfuzzy_for_neo4j.py

README.md

impfuzzy for Neo4j

Python script for clustering malware based on fuzzy hash and importing/visualizing the result using Neo4j.

The following tools and a methods are used:

impfuzzy for fuzzy hash calculation.
Neo4j for a graph database.
The Louvain Method to detect community from large networks.

More details are described in the following documents:
https://www.jpcert.or.jp/magazine/acreport-impfuzzy_neo4.html (Japanese)
http://blog.jpcert.or.jp/2017/03/malware-clustering-using-impfuzzy-and-network-analysis---impfuzzy-for-neo4j-.html (English)

impfuzzy for Neo4j sample

Requirements

This script requires the following modules:

Usage

  1. Download and install Neo4j community edition.
  2. Start the Neo4j server.
  3. Enter your Neo4j password to impfuzzy_for_neo4j.py
NEO4J_PASSWORD = "{password}"
  1. Import the result of clustering by impfuzzy using impfuzzy_for_neo4j.py
    Use -h to see help message.
  • -f - import from file (one EXE or DLL file)
  • -d - import from directory (multiple EXE and/or DLL files)
  • -l - import from csv file (File Name, impfuzzy hash, md5, sha1, sha256)
  1. Access http://localhost:7474 via Web browser.
  2. Use Cypher query to see the graph.

Cypher Query Examples

Visualizing all clusters

$ MATCH (m:Malware) RETURN m

Visualizing clusters that match a specific MD5 hash

MATCH (m1:Malware) WHERE m1.md5 = "149925d0d9ab9bf37af1f38dfe9c2af5"
MATCH (m2:Malware) WHERE m2.cluster = m1.cluster

RETURN m2

Visualizing clusters that match the impfuzzy threshold greater than 90

$ MATCH (m:Malware)-[s:same]-() WHERE s.value > 90 RETURN m,s