Understanding Fuzzy Hashing Techniques and Tools

Author

Reads 4.6K

An artist's illustration of artificial intelligence (AI). This image represents storage of collected data in AI. It was created by Wes Cockx as part of the Visualising AI project launched ...
Credit: pexels.com, An artist's illustration of artificial intelligence (AI). This image represents storage of collected data in AI. It was created by Wes Cockx as part of the Visualising AI project launched ...

Fuzzy hashing is a powerful technique for identifying similar data across different systems. It's based on the idea that even small changes to data can result in significant differences in its hash value.

In essence, fuzzy hashing creates a "fuzzy" match between two data sets by allowing for a certain degree of variation in their hash values. This makes it possible to identify similar data even if it's been modified in some way.

The most common type of fuzzy hashing is SSDeep, which uses a combination of algorithms to create a unique hash value for each data set.

A different take: Elasticsearch Fuzzy Query

Hashing Techniques

Fuzzy hashing techniques are built on two main approaches: Context-triggered piecewise hashing (CTPH) and Locality-sensitive hashing. CTPH constructs a hash by splitting the input into multiple pieces, calculating traditional hashes for each piece, and then combining those traditional hashes into a single string.

CTPH is used in SSDEEP, one of the most widely used fuzzy hashing tools in cybersecurity. It divides the input file into blocks based on content patterns rather than fixed sizes, and uses a rolling hash function to identify trigger points in the data that determine block boundaries.

These approaches offer several key advantages for security analysts, including the ability to identify variants of known malware even after minor code modifications, and maintaining effectiveness against common malware obfuscation techniques.

Approaches

Credit: youtube.com, Hash Tables and Hash Functions

Fuzzy hashes work differently from static hashes by breaking down files into smaller chunks and creating signatures that can survive minor modifications. This approach is particularly useful for security analysts who need to identify variants of known malware even after minor code modifications.

Context-triggered piecewise hashing (CTPH) is one approach used for building fuzzy hash algorithms. It constructs a hash by splitting the input into multiple pieces, calculating traditional hashes for each piece, and then combining those traditional hashes into a single string.

Locality-sensitive hashing is another approach that places similar input items into the same "buckets", which can be used for data clustering and nearest neighbor searches. This can be particularly useful in anti-spam and computer security applications.

Here are some key characteristics of fuzzy hashing techniques:

Cryptographic Hash

A cryptographic hash is like a digital fingerprint, used to identify data with precision. It's perfect for checking if two files are identical, but it's not so great for detecting similarities between files.

Credit: youtube.com, What is Hashing? Hash Functions Explained Simply

Once a single bit of data changes, the entire hash result changes too, making it a very sensitive tool.

Cryptographic hash functions are designed to be one-way, meaning you can't get the original data back from the hash result. This is why they're so secure for authentication and data integrity.

Fuzzy hash, on the other hand, is a type of hash that's more forgiving, allowing for slight variations in data while still detecting similarities between files.

Hashes

Hashes are a crucial tool in cybersecurity, and there are several types of hashes that can be used to identify and analyze files. Fuzzy hashes, in particular, are effective at identifying similar files, even when they've undergone minor modifications.

Fuzzy hashes work by breaking down files into smaller chunks and creating signatures that can survive minor modifications. This approach offers several key advantages for security analysts, including the ability to identify variants of known malware and maintain effectiveness against common malware obfuscation techniques.

Credit: youtube.com, Learn Hash Tables in 13 minutes #️⃣

One of the most widely used fuzzy hashing tools is SSDEEP, which implements context-triggered piecewise hashing (CTPH). SSDEEP divides the input file into blocks based on content patterns rather than fixed sizes and uses a rolling hash function to identify trigger points in the data that determine block boundaries.

SSDEEP's key advantages include its ability to detect files that are similar but not identical, resistance to simple obfuscation techniques commonly used by malware authors, and the generation of compact signatures that are easy to store and compare. Security analysts typically consider similarity scores above 50 as significant enough to warrant further investigation.

Another fuzzy hashing algorithm is TLSH, which was developed by Trend Micro and released as open source. TLSH splits the file into sliding windows and uses these windows to populate a counting bloom filter. The bloom filter data is then processed to generate a digest, which includes file metadata like length and quartile points.

TLSH's key advantages include its more robustness against certain types of file modifications compared to SSDEEP, better performance when comparing large sets of files, and the provision of distance scores that are more consistent across different file sizes.

Curious to learn more? Check out: Hashing Email Addresses

Experimentation

Credit: youtube.com, [How To] Fuzzy Hashing with SSDEEP (similarity matching)

Fuzzy hashing is a technique that can be used to identify similar files, even if they are not identical. This is particularly useful in digital forensics and malware analysis.

The most well-known implementation of fuzzy hashing is called ssdeep. It was developed by Jesse Kornblum and is widely used in the field.

Fuzzy hashing works by creating a hash value for each file, which is then compared to hash values of other files. The comparison is done using a technique called Jaccard similarity, which measures the similarity between two sets.

The Jaccard similarity is calculated by dividing the size of the intersection of the two sets by the size of their union. This gives a value between 0 and 1, where 1 means the sets are identical and 0 means they have no elements in common.

Fuzzy hashing can be used to identify similar files, even if they are not identical, by comparing their hash values and calculating the Jaccard similarity. This can be a useful tool in digital forensics and malware analysis.

Worth a look: Hashing

Credit: youtube.com, Applying Fuzzy Hashing to Phishing Page Identification at DefCamp 2018

The ssdeep algorithm uses a combination of hash values and a similarity threshold to determine whether two files are similar. The algorithm can also be configured to ignore certain file types, such as zip archives.

Fuzzy hashing is not foolproof, and there are cases where it may produce false positives or false negatives. However, it can be a useful tool in certain situations, such as when identifying similar malware variants.

Similarity and Thresholds

If you're considering using fuzzy hashes, you need to understand that selecting a threshold is crucial to their effectiveness.

In experiments, researchers found that choosing the optimal threshold was not always possible, as the best threshold varied depending on the specific scenario. For example, the optimal threshold for LZJD in one experiment was 0.95, but it was 0.75 in another experiment.

A poor threshold choice can lead to substantially worse results than traditional hash-based detection, which is why it's essential to understand the limitations of fuzzy hashes.

Here are some key takeaways about thresholds and similarity:

  • Optimal thresholds may vary depending on the scenario.
  • Poor threshold choice can lead to worse results than traditional hash-based detection.
  • Fuzzy hashes have a fundamental limit to their performance based on syntactic similarity.

Thresholds in Practice

Credit: youtube.com, Difference Thresholds

In real-world scenarios, selecting a threshold for LZJD or LEV is a crucial step. Unfortunately, you can't always choose the optimal threshold because you wouldn't know if your chosen threshold is working well or not.

The optimal threshold can vary depending on the experiment. For example, the optimal threshold for LZJD in the "openssl 1.0.2u vs 1.1.1w" experiment was 0.95, but it was 0.75 in the "openssl 1.1.1q vs 1.1.1w" experiment.

Choosing a poor threshold can lead to substantially worse results than PIC hashing. This is a significant concern, especially when you're relying on LZJD or LEV for critical tasks.

Syntactic Similarity Limit

Syntactic similarity, a measure of how similar two pieces of code are, has its limits. There's a fundamental limit to how well syntactic similarity based on instruction bytes can perform, and surprisingly, PIC hashing appears to be close to that limit.

This was demonstrated when the frame pointer was accidentally omitted, and all syntactic techniques struggled to detect the similarity. It's unclear whether computing similarities over assembly code instead of executable code bytes would perform any better.

To put it simply, syntactic similarity can only take you so far in detecting similar code. It's not a foolproof method, and there are cases where it will fail.

Tools and Kits

Credit: youtube.com, Understanding Fuzzy Hash and PhotoDNA

Fuzzy hashing tools can be used to detect spam emails by generating a fuzzy hash for an email and comparing it against known spam emails.

The spamsum tool, written by Andrew Tridgell, uses fuzzy hashing to determine whether an email is similar to known spam, with a match result between 0 (complete mismatch) to 100 (perfect match).

Here are some notable tools and algorithms used for fuzzy hashing:

  • spamsum: uses fuzzy hashing to detect spam emails
  • Nilsimsa Hash: an anti-spam-focused locality-sensitive hashing algorithm
  • ssdeep: a fuzzy hashing tool based on context-triggered pairwise hashing to compare files
  • sdhash: a fuzzy hashing tool based on using Bloom filters to determine file similarity
  • TLSH: a locality-sensitive hashing scheme for comparing file similarity

Fuzzy hashing can also be used to detect phishing websites by comparing the hashes of HTML and DOM elements. For example, comparing two different campaigns found very similar hashes for both the HTML and the DOM.

Curious to learn more? Check out: Rclone Update Hashes

Core Tools and Algorithms

As you start building your toolkit for spotting spam and malware, you'll want to familiarize yourself with some core tools and algorithms that can help you identify suspicious activity.

spamsum is a tool that uses fuzzy hashing to determine whether an email is similar to known spam. It generates a fuzzy hash for an email and compares it against the fuzzy hashes from known spam emails to generate a match result between 0 (complete mismatch) to 100 (perfect match).

Black and White Geometric Representation of Data
Credit: pexels.com, Black and White Geometric Representation of Data

Nilsimsa Hash is an anti-spam-focused locality-sensitive hashing algorithm that's designed to help you identify spam emails.

Here are some notable tools and algorithms you should know about:

  • spamsum
  • Nilsimsa Hash
  • ssdeep (a fuzzy hashing tool)
  • sdhash (a fuzzy hashing tool)
  • TLSH (Trend Micro Locality Sensitive Hash)

TLSH is particularly effective at identifying similarities between files, even when they've undergone significant modifications. It's a fuzzy hashing algorithm that's been used for malware clustering.

Imphash (Import Hash)

Imphash (Import Hash) is a fuzzy hashing technique specifically designed for Windows Portable Executable (PE) files.

It was originally developed by Mandiant in 2014. This technique focuses on the Import Address Table (IAT) of executable files, which is a crucial aspect of a PE file's structure.

IMPHASH works by extracting the Import Address Table from a PE file, combining the DLL names and their imported function names in a specific order, and then creating a hash of this combined string using MD5.

Malware variants often maintain similar import patterns even when the rest of the code changes, making IMPHASH particularly useful for identifying malware families that use the same codebase or development patterns.

Credit: youtube.com, Malware Theory - Imphash algorithm explained

It's effective at detecting packed or obfuscated malware that share similar unpacking routines, and the calculation is relatively fast compared to other fuzzy hashing methods.

However, IMPHASH does have limitations. It only works with Windows PE files, and can be defeated if malware authors deliberately modify their import patterns.

Here are some benefits of using IMPHASH:

  • Malware variants often maintain similar import patterns even when the rest of the code changes
  • It can identify malware families that use the same codebase or development patterns
  • It's effective at detecting packed or obfuscated malware that share similar unpacking routines
  • The calculation is relatively fast compared to other fuzzy hashing methods
  • It’s natively supported in popular monitoring tools like Sysmon

Apt Phishing Kit

The APT Phishing Kit is a sneaky tool used by cyber attackers to catch users off guard. It creates phishing websites that look legitimate, even using a company's logo.

Websites created by this kit have very similar hashes for both HTML and DOM, making them hard to distinguish. This is evident in a comparison between two campaigns targeting a telecom company and an insurance company.

The hashes are so similar that a tool like tlsh can spot a difference of only 28. This level of similarity is a red flag for security experts.

Check this out: Voice Phishing

Analysis and Discussion

Credit: youtube.com, Deep Fuzzy Hashing Network for Efficient Image Retrieval: A Paper Review

Fuzzy hashing is a game-changer for malware detection. Unlike traditional hashes, which are easily evaded by malware authors, fuzzy hashes focus on finding "close enough" similarities.

Traditional hash-based detection is ineffective because malware authors can easily modify their code to change the file's hash. They use techniques like byte manipulation, payload repackaging, polymorphic code, padding insertion, and code reordering to evade detection.

Fuzzy hashes, on the other hand, are incredibly useful for detecting malware that's been slightly modified. They can identify patterns in large sets of data and find similarities between files, even if they're not exact matches.

Some popular fuzzy hashing tools include ssdeep, which can be used to compare files and identify similarities. Here are some key features of ssdeep:

  • Compares files and identifies similarities
  • Can detect malware that's been slightly modified
  • Identifies patterns in large sets of data

Fuzzy hashing is a powerful tool for malware detection, and it's worth exploring further. By understanding how fuzzy hashes work and how to use tools like ssdeep, you can improve your malware detection skills and stay one step ahead of malware authors.

Conclusions

Credit: youtube.com, Ubuntu 12.04 Forensics - ssdeep Fuzzy Hashing Walk-through

Fuzzy hashing is a valuable tool in the fight against phishing attacks. Companies are still vulnerable to targeted spearphishing attacks.

A fuzzy hashing approach can help catch commoditized or targeted phishing attacks, giving defenders another way to stay ahead of attackers. This capability is worth considering for any organization looking to improve its security.

Companies that incorporate fuzzy hashing into their products can gain an edge in detecting and blocking phishing websites. This is especially important for businesses that handle sensitive information.

Incorporating fuzzy hashing into security products can help reduce the risk of falling victim to phishing attacks.

Try It Yourself

Want to see fuzzy hashing in action? I've created a hands-on lab to help you understand the concept better.

The lab is a single PowerShell script that downloads and unzips SSDEEP to your working directory. This script is a great way to get practical experience with fuzzy hashing.

The script then copies itself 9 times, adding a slight modification (random GUID) to each copy. This is a key aspect of fuzzy hashing, where small changes are made to the original file.

Credit: youtube.com, [How To] Fuzzy Hashing with SSDEEP (similarity matching)

The script captures static and fuzzy hashes of the original file and each copy. By comparing these hashes, you can see how fuzzy hashing works.

To get started, you can download the PowerShell script and follow the instructions to run it. The script will guide you through the process of comparing the hash techniques interactively.

Lamar Smitham

Writer

Lamar Smitham is a seasoned writer with a passion for crafting informative and engaging content. With a keen eye for detail and a knack for simplifying complex topics, Lamar has established himself as a trusted voice in the industry. Lamar's areas of expertise include Microsoft Licensing, where he has written in-depth articles that provide valuable insights for businesses and individuals alike.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.