Lempel-Ziv Jaccard Distance, an Effective Alternative to Ssdeep and Sdhash
This work addresses the need for more effective and efficient similarity digest hashes in digital forensics, offering a practical improvement over existing tools.
The paper tackles the problem of measuring similarity between binary byte sequences for malware classification and digital forensics, proposing Lempel-Ziv Jaccard Distance (LZJD) as an alternative to sdhash and ssdeep, with results showing it significantly outperforms these methods in matching related file fragments and corrupted files and is up to 60x faster than sdhash.
Recent work has proposed the Lempel-Ziv Jaccard Distance (LZJD) as a method to measure the similarity between binary byte sequences for malware classification. We propose and test LZJD's effectiveness as a similarity digest hash for digital forensics. To do so we develop a high performance Java implementation with the same command-line arguments as sdhash, making it easy to integrate into existing workflows. Our testing shows that LZJD is effective for this task, and significantly outperforms sdhash and ssdeep in its ability to match related file fragments and files corrupted with random noise. In addition, LZJD is up to 60x faster than sdhash at comparison time.