%0 Conference Proceedings
%T Evaluation of network traffic analysis using approximate matching algorithms
%+ Computer Science and Research Institute of Cyber Defense
%+ Technische Universität Darmstadt - Technical University of Darmstadt (TU Darmstadt)
%+ Universität der Bundeswehr München [Neubiberg]
%A Göbel, Thomas
%A Uhlig, Frieder
%A Baier, Harald
%Z Part 2: Approximate Matching Techniques
%< avec comité de lecture
%( IFIP Advances in Information and Communication Technology
%B 17th IFIP International Conference on Digital Forensics (DigitalForensics)
%C Virtual, China
%Y Gilbert Peterson
%Y Sujeet Shenoi
%I Springer International Publishing
%3 Advances in Digital Forensics XVII
%V AICT-612
%P 89-108
%8 2021-02-01
%D 2021
%R 10.1007/978-3-030-88381-2_5
%K Network traffic analysis
%K approximate matching
%K similarity hashing
%Z Computer Science [cs]Conference papers
%X Approximate matching has become indispensable in digital forensics as practitioners often have to search for relevant files in massive digital corpora. The research community has developed a variety of approximate matching algorithms. However, not only data at rest, but also data in motion can benefit from approximate matching. Examining network traffic flows in modern networks, firewalls and data loss prevention systems are key to preventing security compromises.This chapter discusses the current state of research, use cases, validations and optimizations related to applications of approximate matching algorithms to network traffic analysis. For the first time, the efficacy of prominent approximate matching algorithms at detecting files in network packet payloads is evaluated, and the best candidates, namely TLSH, ssdeep, mrsh-net and mrsh-cf, are adapted to this task. The individual algorithms are compared, strengths and weaknesses highlighted, and detection rates evaluated in gigabit-range, real-world scenarios. The results are very promising, including a detection rate of 97% while maintaining a throughput of 4 Gbps when processing a large forensic file corpus. An additional contribution is the public sharing of optimized prototypes of the most promising algorithms.
%G English
%2 https://inria.hal.science/hal-03764372/document
%2 https://inria.hal.science/hal-03764372/file/522103_1_En_5_Reference.pdf
%L hal-03764372
%U https://inria.hal.science/hal-03764372
%~ IFIP-LNCS
%~ IFIP
%~ IFIP-AICT
%~ IFIP-TC
%~ IFIP-WG
%~ IFIP-TC11
%~ IFIP-DF
%~ IFIP-WG11-9
%~ IFIP-AICT-612