File Detection on Network Traffic Using Approximate Matching

Authors

Frank Breitinger, University of New HavenFollow
Ibrahim Baggili, University of New HavenFollow

Author URLs

Professor Breitinger's Faculty Profile

Professor Breitinger's web page

Professor Breitinger's full bibliography

Professor Baggili's Faculty Profile

Professor Baggili's web page

Document Type

Article

Publication Date

2014

Subject: LCSH

Cyber forensics, Computer forensics, Local area networks (Computer networks)--Traffic, Hashing (Computer science)

Disciplines

Computer Engineering | Computer Sciences | Electrical and Computer Engineering | Forensic Science and Technology | Information Security

Abstract

In recent years, Internet technologies changed enormously and allow faster Internet connections, higher data rates and mobile usage. Hence, it is possible to send huge amounts of data / files easily which is often used by insiders or attackers to steal intellectual property. As a consequence, data leakage prevention systems (DLPS) have been developed which analyze network traffic and alert in case of a data leak. Although the overall concepts of the detection techniques are known, the systems are mostly closed and commercial. Within this paper we present a new technique for network traffic analysis based on approximate matching (a.k.a fuzzy hashing) which is very common in digital forensics to correlate similar files. This paper demonstrates how to optimize and apply them on single network packets. Our contri- bution is a straightforward concept which does not need a comprehensive configuration: hash the file and store the digest in the database. Within our experiments we obtained false positive rates between 10-4 and 10-5 and an algorithm throughput of over 650 Mbit/s.

Comments

Copyright (c) 2014 Journal of Digital Forensics, Security and Law http://www.jdfsl.org/ This work is licensed under a Creative Commons Attribution 4.0 International License.

Dr. Baggili was appointed to the University of New Haven's Elder Family Endowed Chair in 2015.

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Repository Citation

Breitinger, Frank and Baggili, Ibrahim, "File Detection on Network Traffic Using Approximate Matching" (2014). Electrical & Computer Engineering and Computer Science Faculty Publications. 5.
https://digitalcommons.newhaven.edu/electricalcomputerengineering-facpubs/5

Publisher Citation

Breitinger, F. & Baggili, I. (2014). File detection on network traffic using approximate matching. Journal of Digital Forensics, Security and Law. Special Issue: 2014 ICDF2C / SADFE. 9(2): 23-36.