# Hashing Incomplete and Unordered Network Streams

Abstract : Deep packet inspection typically uses MD5 whitelists/blacklists or regular expressions to identify viruses, malware and certain internal files in network traffic. Fuzzy hashing, also referred to as context-triggered piecewise hashing, can be used to compare two files and determine their level of similarity. This chapter presents the stream fuzzy hash algorithm that can hash files on the fly regardless of whether the input is unordered, incomplete or has an initially-undetermined length. The algorithm, which can generate a signature of appropriate length using a one-way process, reduces the computational complexity from $O\left( n \log n\right)$ to O(n). In a typical deep packet inspection scenario, the algorithm hashes files at the rate of 68 MB/s per CPU core and consumes no more than 5 KB of memory per file. The effectiveness of the stream fuzzy hash algorithm is evaluated using a publicly-available dataset. The results demonstrate that, unlike other fuzzy hash algorithms, the precision and recall of the stream fuzzy hash algorithm are not compromised when processing unordered and incomplete inputs.
Keywords :
Document type :
Conference papers
Domain :

Cited literature [26 references]

https://hal.inria.fr/hal-01988840
Contributor : Hal Ifip <>
Submitted on : Tuesday, January 22, 2019 - 9:44:36 AM
Last modification on : Thursday, February 7, 2019 - 3:40:57 PM
Long-term archiving on: : Tuesday, April 23, 2019 - 1:27:37 PM

### File

472401_1_En_12_Chapter.pdf
Files produced by the author(s)

### Citation

Chao Zheng, Xiang Li, Qingyun Liu, Yong Sun, Binxing Fang. Hashing Incomplete and Unordered Network Streams. 14th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2018, New Delhi, India. pp.199-224, ⟨10.1007/978-3-319-99277-8_12⟩. ⟨hal-01988840⟩

Record views