원문정보
초록
영어
In the network forensic area, it is well known that the payload attribution system enables to investigate cybercrimes on the Internet, such as tracing the spread of worms and viruses, identifying who has sent a phishing e-mail. There are many kinds of method for the payload attribution system. Among them, WBS scheme tends to generate the different similarities according to the position of change. In this paper, we propose a new payload similarity measurement scheme to resolve the problem. The main idea is to append an inverse WBS process into the existing WBS architecture. Our experimental results show that the similarity is getting to be even regardless of the position of change with all of similarity measurement parameters. The proposed method also shows higher similarity than that of HBF one.
목차
1. Introduction
2. Related Works
2.1. WBS
2.2. HBF
2.3. Similarity Processing
3. A New Payload Similarity Measurement Scheme
3.1. The Factors Influencing the WBS Similarity
3.2. The Payload Similarity Measurement Architecture
3.3. The inverse WBS Process
4. Experiments
4.1. Similarity Gaps with Varying the Payload Size
4.2. Similarity Gaps with the Percentage of Changes
4.3. Similarity Gaps with Varying the Hash Window Size or Block Size
5. Conclusion
Acknowledgements
References