论文信息 - Real Time Network File Similarity Detection Based on Approximate Matching

Real Time Network File Similarity Detection Based on Approximate Matching

Real-time packet inspection becomes a hot topic as it is needed in many applications such as spam and virus detection, intrusion and attack detection, and collection of statistics. To have an efficient inspection, most of the traditional techniques use exact matches on keyword and/or white/black MD5 lists. However, it is well-known that exact matches may not be effective to identify similar files such as the same videos with small changes, e.g. titles, posted by different users or metamorphic viruses (mutated computer viruses). However, approximate matching (e.g. fuzzy hashing) is known to be more robust to identify similar files and has been proven to be effective in digital forensics. In this paper, we try to confirm that by using an appropriate approximate matching approach, it is feasible and effective to inspect real-time traffic in order to identify similar files. Our experiments with real data show that our solution achieves good usability in practical. In particular, on a typical file detection scenario, we obtained an algorithm throughput of over 46MB/s.

[1] Vassil Roussev,et al. An evaluation of forensic similarity hashes , 2011, Digit. Investig..

[2] Jiyong Jang,et al. Experimental study of fuzzy hashing in malware clustering analysis , 2015 .

[3] Harald Baier,et al. An Efficient Similarity Digests Database Lookup - A Logarithmic Divide & Conquer Approach , 2014, J. Digit. Forensics Secur. Law.

[4] Ibrahim M. Baggili,et al. File Detection On Network Traffic Using Approximate Matching , 2014, J. Digit. Forensics Secur. Law.

[5] Jesse D. Kornblum. Identifying almost identical files using context triggered piecewise hashing , 2006, Digit. Investig..

[6] Irfan-Ullah Awan,et al. Detection of Malicious Portable Executables Using Evidence Combinational Theory with Fuzzy Hashing , 2016, 2016 IEEE 4th International Conference on Future Internet of Things and Cloud (FiCloud).

[7] Andrei Broder,et al. Network Applications of Bloom Filters: A Survey , 2004, Internet Math..

[8] Harald Baier,et al. Properties of a similarity preserving hash function and their realization in sdhash , 2012, 2012 Information Security for South Africa.

[9] Harald Baier,et al. On the database lookup problem of approximate matching , 2014, Digit. Investig..

[10] Vassil Roussev,et al. Data Fingerprinting with Similarity Digests , 2010, IFIP Int. Conf. Digital Forensics.