Binary Similarity : Theory, Algorithms and Tool Evaluation
Liwei Renvisibility
…
description
24 pages
link
1 file
Similarity digesting is a class of algorithms and technologies that generate hashes from files and preserve file similarity. They find applications in various areas across security industry: malware variant detection, spam filtering, computer forensic analysis, data loss prevention and etc.. There are a few schemes and tools available that include ssdeep, sdhash and TLSH. While being useful for detecting file similarity, they define similarity from different perspectives. In other words, they take different approaches to describe what file similarity is about. In order to compare those tools with better evaluation, we introduce a simple mathematical model to describe similarity that would cover all three schemes and beyond. This model enables us to establish a theoretic framework for analyzing essential differences of various similarity digesting algorithms & tools. As a result, a few tools are found to be complementary to each other so that we can use them in a hybrid approach in practice. Data experiment results are provided to support the theoretic analysis. In addition, we introduce a novel similarity digesting scheme that were designed based on the mathematical model.
Sign up for access to the world's latest research.
checkGet notified about relevant papers
checkSave papers to use in your research
checkJoin the discussion with peers
checkTrack your impact
Related papers
Bloom Based File Similarity for Computer Security
2012
In this paper, we describe the use of Bloom filters as a sliding window hash storage mechanism for similarity comparisons. The focus of the paper is overcoming accuracy issues in current file similarity methods.
On Attacking Locality Sensitive Hashes and Similarity Digests
There has been considerable research and use of similarity digests and Locality Sensitive Hashing (LSH) schemes - those hashing schemes where small changes in a file result in small changes in the digest. These schemes are useful in security and forensic applications. We examine how well three similarity digest schemes (Ssdeep, Sdhash and TLSH) work when exposed to random change. Various file types are tested by randomly manipulating source code, Html, text and executable files. In addition, we test for similarities in modified image files that were generated by cybercriminals to defeat fuzzy hashing schemes (spam images). The experiments expose shortcomings in the Sdhash and Ssdeep schemes that can be exploited in straight forward ways. The results suggest that the TLSH scheme is more robust to the attacks and random changes considered.
Probabilistic near-duplicate detection using simhash
Proceedings of the 20th ACM international …, 2011
This paper offers a novel look at using a dimensionalityreduction technique called simhash [8] to detect similar document pairs in large-scale collections. We show that this algorithm produces interesting intermediate data, which is normally discarded, that can be used to predict which of the bits in the final hash are more susceptible to being flipped in similar documents. This paves the way for a probabilistic search technique in the Hamming space of simhashes that can be significantly faster and more space-efficient than the existing simhash approaches. We show that with 95% recall compared to deterministic search of prior work [16], our method exhibits 4-14 times faster lookup and requires 2-10 times less RAM on our collection of 70M web pages.
F2S2: Fast forensic similarity search through indexing piecewise hash signatures
Digital Investigation, 2013
Fuzzy hashing provides the possibility to identify similar files based on their hash signatures, which is useful for forensic investigations. Current tools for fuzzy hashing, e. g. ssdeep, perform similarity search on fuzzy hashes by brute force. This is often too time-consuming for real cases. We solve this issue for ssdeep and even a larger class of fuzzy hashes, namely for piecewise hash signatures, by introducing a suitable indexing strategy. The strategy is based on n-grams contained in the piecewise hash signatures, and it allows for answering similarity queries very efficiently. The implementation of our solution is called F2S2. This tool reduces the time needed for typical investigations from many days to minutes.
Lightweight hash-based de-duplication system using the self detection of most repeated patterns as chunks divisors
Journal of King Saud University – Computer and Information Sciences, 2021
Data reduction has gained growing emphasis due to the rapidly unsystematic increase in digital data and has become a sensible approach to big data systems. Data deduplication is a technique to optimize the storage requirements and plays a vital role to eliminate redundancy in large-scale storage. Although it is robust in finding suitable chunk-level break-points for redundancy elimination, it faces key problems of (1) low chunking performance, which causes chunking stage bottleneck, (2) a large variation in chunksize that reduces the efficiency of deduplication, and (3) hash computing overhead. To handle these challenges, this paper proposes a technique for finding proper cut-points among chunks using a set of commonly repeated patterns (CRP), it picks out the most frequent sequences of adjacent bytes (i.e., contiguous segments of bytes) as breakpoints. Besides to scalable lightweight triple-leveled hashing function (LT-LH) is proposed, to mitigate the cost of hashing function processing and storage overhead; the number of hash levels used in the tests was three, these numbers depend on the size of data to be de-duplicated. To evaluate the performance of the proposed technique, a set of tests was conducted to analyze the dataset characteristics in order to choose the near-optimal length of bytes used as divisors to produce chunks. Besides this, the performance assessment includes determining the proper system parameter values leading to an enhanced deduplication ratio and reduces the system resources needed for data deduplication. Since the conducted results demonstrated the effectiveness of the CRP algorithm is 15 times faster than the basic sliding window (BSW) and about 10 times faster than two thresholds two divisors (TTTD). The proposed LT-LH is faster five times than Secure Hash Algorithm 1 (SHA1) and Message-Digest Algorithm 5 (MD5) with better storage saving.
The Search of New Issues in the Detection of Near-duplicated Documents
2014
Identifying the same document is the task of near-duplicate detection. Among the near-duplicate detection algorithms, the fingerprinting algorithm is taken into consideration using in analysis, plagiarism, repair and maintenance of social softwards. The idea of using fingerprints is in order to identifying duplicated material like cryptographic hash functions which are secure against destructive attacks. These functions serve as high-quality fingerprinting functions. Cryptographic hash algorithms are including MD5 and SHA1 that have been widely applied in the file system. In this paper, using available heuristic algorithms in near-duplicate detection, a set of similar pair document are placed in a certain threshold, an each set is indentified according to being near- duplicate. Furthermore, comparing document is performed by fingerprinting algorithm, and finally, the total value is calculated using the standard method.
Multi-resolution similarity hashing
2007
Large-scale digital forensic investigations present at least two fundamental challenges. The first one is accommodating the computational needs of a large amount of data to be processed. The second one is extracting useful information from the raw data in an automated fashion. Both of these problems could result in long processing times that can seriously hamper an investigation. In this paper, we discuss a new approach to one of the basic operations that is invariably applied to raw data–hashing.
A document comparison scheme for secure duplicate detection
International Journal on Digital Libraries, 2004
The ever-growing volumes of textual information from various sources have fostered the development of digital libraries, making digital content readily accessible but also easy for malicious users to plagiarize, thus giving rise to security problems. In this paper, we introduce a duplicate detection scheme that is able to determine, with a particularly high accuracy, the degree to which one document is similar to another. Our pairwise document comparison scheme detects the resemblance between the content of documents by considering document chunks, representing contexts of words selected from the text. The resulting duplicate detection technique presents a good level of security in the protection of intellectual property while improving the availability of the data stored in the digital library and the correctness of the search results. Finally, the paper addresses efficiency and scalability issues by introducing new data reduction techniques.
Children of Lucifer: The Origins of Modern Religious Satanism, by Ruben van Luijk
Aries, 2018
View Crossmark data research. I expect the book will influence modern Asatru, a faith whose members are often open to academic research. Even seasoned Asatru followers report discovering in Norse Revival groups they have never heard of. The 48-page bibliography alone will be valuable to any future student of Asatru. The one useful tool I missed is a tabular overview with core information of all groups mentioned in the book, many named in unfamiliar languages and some later referred to by acronym only. There are a number of small errors regarding detail that are usually only mentioned to prove the reviewer's thorough reading; for example, the NPD is not "Germany's right-wing party" but the neo-Nazi party and the Wiking-Jugend is not "under police observation" but was banned decades ago (50). But these are trifles in an overall excellent and recommendable book.
Binary Similarity : Theory, Algorithms and Tool
Evaluation
Liwei Ren, Ph.D, Trend Micro™
University of Houston-Downtown, Houston, Texas, October, 2015
Copyright 2011 Trend Micro Inc.
1
Agenda
• What is binary similarity ?
• Similarity Digesting: 3 Algorithms
• A Mathematical Model
• Tool Evaluation
• A Novel Fuzzy Hashing
• Summary and Further Research
Classification 10/1/2015
Copyright 2011 Trend Micro Inc.
2
What Is Binary Similarity?
• Binary similarity or approximate matching.
– What is binary similarity ?
• 4 Use Cases specified by a NIST document:
Classification 10/1/2015
Copyright 2011 Trend Micro Inc.
3
What Is Binary Similarity?
Classification 10/1/2015
Copyright 2011 Trend Micro Inc.
4
Similarity Digesting : 3 Algorithms
• Similarity digesting (aka, fuzzy hashing):
– A class of hash techniques or tools that preserve similarity.
– Typical steps for digest generation:
– Detecting similarity with similarity digesting:
• Three similarity digesting algorithms and tools:
– ssdeep, sdhash & TLSH
Classification 10/1/2015
Copyright 2011 Trend Micro Inc.
5
Similarity Digesting : 3 Algorithms
• ssdeep
– Two steps for digesting:
– Edit Distance: Levenshtein distance
Classification 10/1/2015
Copyright 2011 Trend Micro Inc.
6
Similarity Digesting : 3 Algorithms
• Sdhash
by Dr Vassil Roussev
– Two steps for digesting:
– Edit Distance: Hamming distance
Classification 10/1/2015
Copyright 2011 Trend Micro Inc.
7
Similarity Digesting : 3 Algorithms
• TLSH
– Two steps for digesting :
– Edit Distance: A diff based evaluation function
Classification 10/1/2015
Copyright 2011 Trend Micro Inc.
8
A Mathematical Model
• Summary of Three Similarity Digesting Schemes:
– Using a first model to describe a binary string with selected features:
• ssdeep model: a string is a sequence of chunks (split from the string).
• sdhash model: a string is a bag of 64-byte blocks (selected with entropy
values).
• TLSH model: a string is a bag of triplets (selected from all 5-grams).
– Using a second model to map the selected features into a digest which
is able to preserve similarity to certain degree.
• ssdeep model: a sequence of chunks is mapped into a 80-byte digest.
• sdhash model: a bag of blocks is mapped into one or multiple 256-byte
bloom filter bitmaps.
• TLSH model: a bag of triplets is mapped into a 32-byte container.
Classification 10/1/2015
Copyright 2011 Trend Micro Inc.
9
A Mathematical Model
• Three approaches for similarity evaluation:
• 1st model plays critical role for similarity comparison.
• Let focus on discussing various 1st models today.
• Based on a unified format.
• 2nd model saves space but further reduces accuracy.
Classification 10/1/2015
Copyright 2011 Trend Micro Inc. 10
A Mathematical Model
• Unified format for 1st model:
– A string is described as a collection of tokens (aka, features)
organized by a data structure:
• ssdeep: a sequence of chunks.
• sdhash: a bag of 64-byte blocks with high entropy values.
• TLSH: a bag of selected triplets.
– Two types of data structures: sequence, bag.
– Three types of tokens: chunks, blocks, triplets.
• Analogical comparison:
Classification 10/1/2015
Copyright 2011 Trend Micro Inc. 11
A Mathematical Model
• Four general types of tokens from binary strings:
– k-grams where k is as small as , ,…
– k-subsequences: any subsequence with length k. The triplet in TLSH
is an example.
– Chunks: whole string is split into non-overlapping chunks.
– Blocks: selected substrings of fixed length.
• Eight different models to describe a string for similarity.
• Analogical thinking:
– we define different distances to describe a metric space.
Classification 10/1/2015
Copyright 2011 Trend Micro Inc. 12
Tool Evaluation
• Data Structure:
– Bag: a bag ignores the order of tokens. It is good at handling content
swapping.
– Sequence: a sequence organizes tokens in an order. This is weak for handling
content swapping.
• Tokens:
– k-grams: Due to the small k , , ,… , this fine granularity is good at
handling fragmentation.
– k-sequences: Due to the small k , , ,… , this fine granularity is good at
handling fragmentation .
– Chunks: This approach takes account of every byte in raw granularity. It
should be OK at handling containment and cross sharing
– Blocks: Depending on different selection functions, even though it does not
take account of every byte, but it may present a string more efficiently and
that is good for generating similarity digests. Due to the nature of fixed
length blocks, it is good at handling containment and cross sharing.
Copyright 2011 Trend Micro Inc. 13
Tool Evaluation
Tool
Model
Minor
Changes
Containment
Cross
sharing
Swap
Fragmentation
ssdeep
M1.3
High
Medium
Medium
Medium
Low
sdhash
M2.4
High
High
High
High
Low
TLSH
M2.2
High
Low
Medium
High
High
High
High
High
High
High
Sdhash Hybrid
+ TLSH
Classification 10/1/2015
Copyright 2011 Trend Micro Inc. 14
Tool Evaluation
Classification 10/1/2015
Copyright 2011 Trend Micro Inc. 15
A Novel Fuzzy Hashing
• We like to design a novel fuzzy hashing scheme based on the
M2.4:
– a string is presented by a bag of blocks.
– Two steps: (1) Feature selection; (2) Digest generation.
Classification 10/1/2015
Copyright 2011 Trend Micro Inc. 16
A Novel Fuzzy Hashing
• Continuing:
Classification 10/1/2015
Copyright 2011 Trend Micro Inc. 17
A Novel Fuzzy Hashing
• This is TSFP
– Trend String Fingerprint
• Similarity measurement of TSFP:
– Given two TSFP H and G where H = h1h2… hn and G= g1g2… gm .
– Similarity is measured by function:
• SIMH H,G =
*|S ⋂T| / |S| + |T|
– Where S = {h1, h2, … ,hn } and T = {g1, g2, … , gm }
–
SIMH G,H
• Similarity measurement of two strings :
– SIM(s,t) = SMTH(TSFP(s), TSFP(h))
Classification 10/1/2015
Copyright 2011 Trend Micro Inc. 18
A Novel Fuzzy Hashing
• Why do we need TSFP ?
• We need to solve the following problems
1.
2.
Similarity search problem:
• B is a bag of binary strings {t1, t2 , …,tn} Given δ >0 and a binary string s,
find t ϵ {t1, t2 , …,tn} such that SIM s, t δ.
Similarity based clustering problem:
• B is a bag of binary strings {{t1, t2 , …, tn }. Partition B into groups based
on their binary similarity.
• Why not {ssdeep, sdhash, TLSH} ?
– NO… unless one applies Brute Force algorithm
Copyright 2011 Trend Micro Inc. 19
A Novel Fuzzy Hashing
• Similarity search problem:
• B is a bag of binary strings {t1, t2 , …, tn }. Given δ >0 and a binary string
s, find t ϵ {t1, t2 , …, tn} such that SIM s, t δ .
• How does keyword based search engine work?
– Extracting keywords from documents
– Indexing keywords & documents
– Searching via keywords.
• Solution:
– Given a string s, we get its fuzzy hash TSFP(s)= h1h2… hn .
– Let S={h1, h2,…,hn}, each hj is a token of s that we treat it as a
keyword. So we can create the indices TSFP-Index (B).
– We can do two steps to solve the searching problems above.
Copyright 2011 Trend Micro Inc. 20
A Novel Fuzzy Hashing
• Similarity search problem:
• B is a bag of binary strings {t1, t2 , …, tn }. Given δ >0 and a binary string
s, find t ϵ {t1, t2 , …, tn} such that SIM s, t δ .
• STEP 1:
– Candidate selection
• Let TSFP(s)= h1h2… hn to create the bag of tokens S={h1, h2,…, hn}.
• Use this bag of tokens to search the indices TSFP-Index(B) so that we
retrieve a list of candidates {s1, s2 , …, sm} ⊂ {t1, t2 , …, tn } ranked by
number of common tokens.
• STEP 2:
– Brute force method at smaller scale
• For each t ϵ {s1, s2 , …, sm}, if SIM( s, r) δ , t is what we are searching for.
Copyright 2011 Trend Micro Inc. 21
Summary and Further Research
• My practice of academic research in industry:
Classification 10/1/2015
Copyright 2011 Trend Micro Inc. 22
Summary and Further Research
Framework of approximate matching, searching and clustering:
Classification 10/1/2015
Copyright 2011 Trend Micro Inc. 23
Q&A
• Thank you for your interest.
• Any questions?
• My Information:
– Email: liwei_ren@trendmicro.com
– Academic Page: https://pitt.academia.edu/LiweiRen
Classification 10/1/2015
Copyright 2011 Trend Micro Inc. 24
Related papers
Review - Stability of Transport and Rate Processes
International Journal of Thermodynamics, 2005
Simple Denotation. On the So-called General-Factual Imperfective in Russian [Простота денотации. Об "общефактическом" значении как части грамматической номенклатуры]
А.В.Циммерлинг. Простота денотации. Об "общефактическом значении" как части грамматической номенклатуры // Грамматические процессы и системы в синхронии и диахронии. М., ИРЯ РАН, 4-6.06.2024, 2024
Prestación de servicios a las personas: ¿concierto social o contrato? / Services to person: «concierto social» or public contract?
Revista de Estudios de la Administración Local y Autonómica, 2023
Accurate indoor positioning with ultra-wide band sensors
TURKISH JOURNAL OF ELECTRICAL ENGINEERING & COMPUTER SCIENCES, 2020
Neurological adverse events associated with metronidazole
International Journal of Antimicrobial Agents, 2017
Resenha bibliográfica: a banalização da injustiça social
Revista Latino-Americana de Enfermagem, 2006
Critical thinking and nursing administration clinical judgment skills for baccalaureate nursing students at Damanhour University
International Journal of Advance Research in Nursing, 2019
A knowledge translation intervention to enhance clinical application of a virtual reality system in stroke rehabilitation
BMC health services research, 2016
Fine-needle cytology of metastatic endometrioid neoplasms: Experience with eight cases
Diagnostic Cytopathology, 2009
Efficient Self-Localization and Data Gathering Architecture for Wireless Sensor Networks
Novel Algorithms and Techniques in Telecommunications and Networking, 2009
Paradigmática Miragem, Tabernáculo De Sons Ascendentes | Poemas & poesias
v. 6 n. 13 (2024): Letras e Humanidades / Poesias, narrativas curtas e outras palavras, 2024