Evaluating detection error trade-offs for bytewise approximate matching algorithms |
| |
Institution: | 1. Department of Electrical and Computer Engineering, Air Force Institute of Technology, 1950 Hobson Way, Wright-Patterson AFB, OH 45433-7765, United States;2. Department of Systems and Engineering Management, Air Force Institute of Technology, 1950 Hobson Way, Wright-Patterson AFB, OH 45433-7765, United States;1. School of Information Science and Engineering, Hunan University, Changsha, Hunan Province 410082, China;2. Key Laboratory for Embedded and Network Computing of Hunan Province, Hunan University, Changsha, Hunan Province 410082, China;1. da/sec - Biometrics and Internet Security Research Group, Hochschule Darmstadt, Haardtring 100, 64295 Darmstadt, Germany;2. Department of Computer Science, University of New Orleans, New Orleans, LA 70148, USA |
| |
Abstract: | Bytewise approximate matching is a relatively new area within digital forensics, but its importance is growing quickly as practitioners are looking for fast methods to analyze the increasing amounts of data in forensic investigations. The essential idea is to complement the use of cryptographic hash functions to detect data objects with bytewise identical representation with the capability to find objects with bytewise similar representations.Unlike cryptographic hash functions, which have been studied and tested for a long time, approximate matching ones are still in their early development stages, and have been evaluated in a somewhat ad-hoc manner. Recently, the FRASH testing framework has been proposed as a vehicle for developing a set of standardized tests for approximate matching algorithms; the aim is to provide a useful guide for understanding and comparing the absolute and relative performance of different algorithms.The contribution of this work is twofold: a) expand FRASH with automated tests for quantifying approximate matching algorithm behavior with respect to precision and recall; and b) present a case study of two algorithms already in use–sdhash and ssdeep. |
| |
Keywords: | Hashing Approximate matching Similarity hashing sdhash mrsh-v2 ssdeep FRASH |
本文献已被 ScienceDirect 等数据库收录! |
|