An Evaluation of Malware Triage Similarity Hashes

Haoping Liu; Josiah Hagen; Muqeet Ali; Jonathan Oliver

doi:10.5220/0011728500003467

An Evaluation of Malware Triage Similarity Hashes

Haoping Liu, Josiah Hagen, Muqeet Ali, Jonathan Oliver

2023

Abstract

Detection of polymorphic malware variants is crucial in cyber security. Searching and clustering are crucial tools for security analysts and SOC operators in malware analysis and hunting. Similarity hashing generates similarity digests based on binary files, allowing for the calculation of similarity scores, saving time and resources in malware triage operations. In this paper, we compare the accuracy and run time of TLSH and LZJD algorithms, both based on windows-based malware samples. TLSH is widely used in industry, while LZJD is newly developed and released in academia. TLSH hashes skip-n-grams into a histogram, providing distance scores based on histogram similarity, while LZJD converts byte strings into sub-strings, providing similarity scores between the sets. Our experiments show that TLSH performs slightly better than LZJD in detection rate, but vastly outperforms LZJD in index and search time.

Download

Paper Citation

in Harvard Style

Liu H., Hagen J., Ali M. and Oliver J. (2023). An Evaluation of Malware Triage Similarity Hashes. In Proceedings of the 25th International Conference on Enterprise Information Systems - Volume 1: ICEIS, ISBN 978-989-758-648-4, SciTePress, pages 431-435. DOI: 10.5220/0011728500003467

in Bibtex Style

@conference{iceis23,
author={Haoping Liu and Josiah Hagen and Muqeet Ali and Jonathan Oliver},
title={An Evaluation of Malware Triage Similarity Hashes},
booktitle={Proceedings of the 25th International Conference on Enterprise Information Systems - Volume 1: ICEIS,},
year={2023},
pages={431-435},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0011728500003467},
isbn={978-989-758-648-4},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 25th International Conference on Enterprise Information Systems - Volume 1: ICEIS,
TI - An Evaluation of Malware Triage Similarity Hashes
SN - 978-989-758-648-4
AU - Liu H.
AU - Hagen J.
AU - Ali M.
AU - Oliver J.
PY - 2023
SP - 431
EP - 435
DO - 10.5220/0011728500003467
PB - SciTePress