TL;DR
This paper introduces Lempel-Ziv Jaccard Distance (LZJD) as an effective and faster alternative to sdhash and ssdeep for digital forensics, demonstrating superior accuracy in matching related files and fragments.
Contribution
The authors develop a high-performance Java implementation of LZJD and empirically validate its effectiveness and speed compared to existing similarity digest methods.
Findings
LZJD outperforms sdhash and ssdeep in matching related files.
LZJD is up to 60 times faster than sdhash in comparison tasks.
LZJD effectively handles noisy and fragmented files.
Abstract
Recent work has proposed the Lempel-Ziv Jaccard Distance (LZJD) as a method to measure the similarity between binary byte sequences for malware classification. We propose and test LZJD's effectiveness as a similarity digest hash for digital forensics. To do so we develop a high performance Java implementation with the same command-line arguments as sdhash, making it easy to integrate into existing workflows. Our testing shows that LZJD is effective for this task, and significantly outperforms sdhash and ssdeep in its ability to match related file fragments and files corrupted with random noise. In addition, LZJD is up to 60x faster than sdhash at comparison time.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
