Harald Baier

Similarity Preserving Hashing: Eligible Properties and a New Algorithm MRSH-v2

Hash functions are a widespread class of functions in computer science and used in several applications, e.g. in computer forensics to identify known files. One basic property of cryptographic Hash Functions is the avalanche effect that causes a significantly different output if an input is changed slightly. As some applications also need to identify similar files (e.g. spam/virus detection) this raised the need for Similarity Preserving Hashing. In recent years, several approaches came up, all with different namings, properties, strengths and weaknesses which is due to a missing definition.

Security Aspects of Piecewise Hashing in Computer Forensics

Although hash functions are a well-known method in computer science to map arbitrary large data to bit strings of a fixed length, their use in computer forensics is currently very limited. As of today, in a pre-step process hash values of files are generated and stored in a database, typically a cryptographic hash function like MD5 or SHA-1 is used. Later the investigator computes hash values of files, which he finds on a storage medium, and performs look ups in his database. This approach has several drawbacks, which have been sketched in the community, and some alternative approaches have been proposed. The most popular one is due to Jesse Kornblum, who transferred ideas from spam detection to computer forensics in order to identify similar files. However, his proposal lacks a thorough security analysis. It is therefore one aim of the paper at hand to present some possible attack vectors of an active adversary to bypass Kornblums approach. Furthermore, we present a pseudo random number generator being both more efficient and more random compared to Kornblums pseudo random number generator.

On application of bloom filters to iris biometrics

In this study, the application of adaptive Bloom filters to binary iris biometric feature vectors, that is, iris-codes, is proposed. Bloom filters, which have been established as a powerful tool in various fields of computer science, are applied in order to transform iris-codes to a rotation-invariant feature representation. Properties of the proposed Bloom filter-based transform concurrently enable (i) biometric template protection, (ii) compression of biometric data and (iii) acceleration of biometric identification, whereas at the same time no significant degradation of biometric performance is observed. According to these fields of application, detailed investigations are presented. Experiments are conducted on the CASIA-v3 iris database for different feature extraction algorithms. Confirming the soundness of the proposed approach, the application of adaptive Bloom filters achieves rotation-invariant cancellable templates maintaining biometric performance, a compression of templates down to 20-40% of original size and a reduction of bit-comparisons to less than 5% leading to a substantial speed-up of the biometric system in identification mode.

Blessing or curse? Revisiting security aspects of Software-Defined Networking

Software-Defined Networking (SDN) is an emerging technology, physically separating data and control planes of network devices. From a security point of view SDN has two sides. First, it enables network security functions by design, because traffic flows can be redirected or filtered based on packet content or application layer state - functionality, which to date requires additional network security devices like fire-walls, intrusion detection systems or spam filters in conventional networks. On the other hand, due to physical separation of planes, SDN possibly offers additional attack vectors compared to traditional network architectures, which may severely impact overall network availability as well as confidentiality, authenticity, integrity and consistency of network traffic and control data. In this paper, we discuss and balance security provided by SDN with security threats of SDN also in respect of traditional networks. We develop an evaluation methodology for both sides and show that from a security point of view SDN is a blessing for todays and future network design and operation.

Performance Issues About Context-Triggered Piecewise Hashing

A hash function is a well-known method in computer science to map arbitrary large data to bit strings of a fixed short length. This property is used in computer forensics to identify known files on base of their hash value. As of today, in a pre-step process hash values of files are generated and stored in a database; typically a cryptographic hash function like MD5 or SHA-1 is used. Later the investigator computes hash values of files, which he finds on a storage medium, and performs look ups in his database. Due to security properties of cryptographic hash functions, they can not be used to identify similar files. Therefore Jesse Kornblum proposed a similarity preserving hash function to identify similar files. This paper discusses the efficiency of Kornblum’s approach. We present some enhancements that increase the performance of his algorithm by 55% if applied to a real life scenario. Furthermore, we discuss some characteristics of a sample Windows XP system, which are relevant for the performance of Kornblum’s approach.

mvHash-B - A New Approach for Similarity Preserving Hashing

The handling of hundreds of thousands of files is a major challenge in todays IT forensic investigations. In order to cope with this information overload, investigators use fingerprints (hash values) to identify known files automatically using blacklists or whitelists. Besides detecting exact duplicates it is helpful to locate similar files by using similarity preserving hashing (SPH), too. We present a new algorithm for similarity preserving hashing. It is based on the idea of majority voting in conjunction with run length encoding to compress the input data and uses Bloom filters to represent the fingerprint. It is therefore called mvHash-B. Our assessment shows that mvHash-B is superior to other SPHs with respect to run time efficiency: It is almost as fast as SHA-1 and thus faster than any other SPH algorithm. Additionally the hash value length is approximately 0.5% of the input length and hence outperforms most existing algorithms. Finally, we show that the robustness of mvHash-B against active manipulation is sufficient for practical purposes.

How to exchange security events? Overview and evaluation of formats and protocols

Network-based attacks pose a strong threat to the Internet landscape. Recent approaches to mitigate and resolve these threats focus on cooperation of Internet service providers and their exchange of security event information. A major benefit of a cooperation is that it might counteract a network-based attack at its root and provides the possibility to inform other cooperative partners about the occurrence of anomalous events as a proactive service. In this paper we provide a structured overview of existing exchange formats and protocols. We evaluate and compare the exchange formats and protocols in context of high-speed networks. In particular, we focus on flow data. In addition, we investigate the exchange of potentially sensitive data. For our overview, we review different exchange formats and protocols with respect to their use-case scenario, their interoperability with network flow-based data, their scalability in a high-speed network context and develop a classification.

Towards Bloom filter-based indexing of iris biometric data

Conventional biometric identification systems require exhaustive 1 : N comparisons in order to identify biometric probes, i.e. comparison time frequently dominates the overall computational workload. Biometric database indexing represents a challenging task since biometric data is fuzzy and does not exhibit any natural sorting order. In this paper we present a preliminary study on the feasibility of applying Bloom filters for the purpose of iris biometric database indexing. It is shown, that by constructing a binary tree data structure of Bloom filters extracted from binary iris biometric templates (iris-codes) the search space can be reduced to O(logN). In experiments, which are carried out on a database of N = 256 classes, biometric performance (accuracy) is maintained for different conventional identification systems. Further, perspectives on how to employ the proposed scheme on large-scale databases are given.

Towards Automated Incident Handling: How to Select an Appropriate Response against a Network-Based Attack?

The increasing amount of network-based attacks evolved to one of the top concerns responsible for network infrastructure and service outages. In order to counteract these threats, computer networks are monitored to detect malicious traffic and initiate suitable reactions. However, initiating a suitable reaction is a process of selecting an appropriate response related to the identified network-based attack. The process of selecting a response requires to take into account the economics of an reaction e.g., risks and benefits. The literature describes several response selection models, but they are not widely adopted. In addition, these models and their evaluation are often not reproducible due to closed testing data. In this paper, we introduce a new response selection model, called REASSESS, that allows to mitigate network-based attacks by incorporating an intuitive response selection process that evaluates negative and positive impacts associated with each countermeasure. We compare REASSESS with the response selection models of IE-IRS, ADEPTS, CS-IRS, and TVA and show that REASSESS is able to select the most appropriate response to an attack in consideration of the positive and negative impacts and thus reduces the effects caused by an network-based attack. Further, we show that REASSESS is aligned to the NIST incident life cycle. We expect REASSESS to help organizations to select the most appropriate response measure against a detected network-based attack, and hence contribute to mitigate them.

Properties of a similarity preserving hash function and their realization in sdhash

Finding similarities between byte sequences is a complex task and necessary in many areas of computer science, e.g., to identify malicious files or spam. Instead of comparing files against each other, one may apply a similarity preserving compression function (hash function) first and do the comparison for the hashes. Although we have different approaches, there is no clear definition / specification or needed properties of such algorithms available.