Hashing Incomplete and Unordered Network Streams - Advances in Digital Forensics XIV
Conference Papers Year : 2018

Hashing Incomplete and Unordered Network Streams

Abstract

Deep packet inspection typically uses MD5 whitelists/blacklists or regular expressions to identify viruses, malware and certain internal files in network traffic. Fuzzy hashing, also referred to as context-triggered piecewise hashing, can be used to compare two files and determine their level of similarity. This chapter presents the stream fuzzy hash algorithm that can hash files on the fly regardless of whether the input is unordered, incomplete or has an initially-undetermined length. The algorithm, which can generate a signature of appropriate length using a one-way process, reduces the computational complexity from $$O\left( n \log n\right) $$ to O(n). In a typical deep packet inspection scenario, the algorithm hashes files at the rate of 68 MB/s per CPU core and consumes no more than 5 KB of memory per file. The effectiveness of the stream fuzzy hash algorithm is evaluated using a publicly-available dataset. The results demonstrate that, unlike other fuzzy hash algorithms, the precision and recall of the stream fuzzy hash algorithm are not compromised when processing unordered and incomplete inputs.
Fichier principal
Vignette du fichier
472401_1_En_12_Chapter.pdf (714.86 Ko) Télécharger le fichier
Origin Files produced by the author(s)
Loading...

Dates and versions

hal-01988840 , version 1 (22-01-2019)

Licence

Identifiers

Cite

Chao Zheng, Xiang Li, Qingyun Liu, Yong Sun, Binxing Fang. Hashing Incomplete and Unordered Network Streams. 14th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2018, New Delhi, India. pp.199-224, ⟨10.1007/978-3-319-99277-8_12⟩. ⟨hal-01988840⟩
71 View
234 Download

Altmetric

Share

More