[jira] [Commented] (METRON-1052) Add forensic similarity hash functions to Stellar

Fri, 29 Sep 2017 16:26:27 -0700 

    [ 
https://issues.apache.org/jira/browse/METRON-1052?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16186668#comment-16186668
 ] 

ASF GitHub Bot commented on METRON-1052:
----------------------------------------

Github user mattf-horton commented on the issue:

    https://github.com/apache/metron/pull/781
  
    Altho I suppose the "Locality-Sensitive" part of TLSH means it operates at 
word level instead of byte or character level?


> Add forensic similarity hash functions to Stellar
> -------------------------------------------------
>
>                 Key: METRON-1052
>                 URL: https://issues.apache.org/jira/browse/METRON-1052
>             Project: Metron
>          Issue Type: Improvement
>            Reporter: Jon Zeolla
>
> This is a follow-on to METRON-539.  Currently we have Stellar functions to 
> perform cryptographic hashing operations.  It would be useful to expand this 
> to support forensic similarity hash functions so we could compare the 
> similarity of inputs.  I can see two main components of this, and one 
> secondary/lower priority thought:
> (1) Support of LSH and/or CCTP hash functions (aka forensic similarity hash 
> functions) such as sdhash or spamsum/ssdeep.  I quickly found some code 
> examples[1][2] in Java that have compatible licenses, in case that is 
> appealing.
> (2) An approximate string matching function to establish a similarity rating 
> between n hashes.  ssdeep currently has this via its -x and -k options, and 
> there are some other thoughts[3] on how to best do this, but I'm aware there 
> are numerous ways that we may want to consider comparing strings for 
> similarity (damerau-levenshtein distance, longest common subsequence, etc.).  
> (3) Similar to 2, I could see some applicability as a streaming enrichment, 
> but as a native feature this would be a much lower priority/potentially a 
> separate PR.
> 1:  
> https://github.com/pcbje/autopsy-ahbm/blob/master/src/com/pcbje/ahbm/Sdhash.java
> 2:  https://github.com/tdebatty/java-spamsum
> 3:  
> https://www.virusbulletin.com/virusbulletin/2015/11/optimizing-ssdeep-use-scale



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to