Understanding Nilsimsa Hash and Its Applications

Author

Reads 11K

Close-up of a hand holding a smartphone locked with a fingerprint sensor.
Credit: pexels.com, Close-up of a hand holding a smartphone locked with a fingerprint sensor.

Nilsimsa Hash is a type of hash function designed to detect malware and other types of malicious software.

It was created by the Nilsimsa team, a group of researchers from the University of California, Berkeley.

The Nilsimsa Hash algorithm is specifically designed to identify malware, including Trojans, viruses, and other types of malicious code.

This algorithm is particularly effective at detecting malware that uses encryption or other obfuscation techniques.

Methodology

Nilsimsa is a locality-sensitive hash function that generates similar hash values for similar inputs. It's a powerful tool for identifying similarities between data.

Nilsimsa uses a sliding window of size 5 characters that slide one character at a time. This unique approach allows it to capture the nuances of data.

The functionality of Nilsimsa is presented in Figure 1, but we'll break it down in simpler terms. It generates trigrams from data in the window and passes those trigrams to the tran54 hash function.

Credit: youtube.com, Hash or It Didn't Happen

Tran54 hash function generates a value between 0 and 255. This value is then used to increase the corresponding counter in the accumulator.

The accumulator is an array of integers of size 256, where each counter keeps track of the frequency of a particular trigram. After iterating over the entire input file, the accumulator holds the frequencies of the trigrams.

The ratio of each bucket's value to the average values of the buckets is calculated. If the i-th ratio is greater than the median of the ratios, the i-th bit of the Nilsimsa code is set to 1.

The size of the hash generated by Nilsimsa is 32 bytes. This makes it a compact and efficient way to represent data.

The similarity score of two hashes ranges from -128 (i.e., completely different) to 128 (i.e., completely same). The similarity score is calculated by subtracting 128 from the number of similar bits in the hashes.

Related reading: Rclone Update Hashes

Design and Alternatives

Credit: youtube.com, How Google Finds Similar Documents FAST | MinHash, SimHash, Jaccard & Cosine

Nilsimsa Hash is a type of cryptocurrency hash that has gained attention in recent times. It's designed to be more efficient and secure than traditional hash functions.

The Nilsimsa Hash algorithm uses a combination of bitwise operations and modular arithmetic to produce its output. This unique approach allows for faster processing times and improved resistance to collisions.

In comparison to other hash functions, Nilsimsa Hash has a relatively small output size, typically 256 bits.

III Alsif R

Alsif R is a great option for those looking for a more affordable alternative to other designs.

It has a similar aesthetic to the more expensive designs, but at a lower price point.

One key difference is the use of a different material, which affects its durability and maintenance needs.

Alsif R is often used in commercial settings, where its ease of cleaning and low maintenance requirements make it a practical choice.

It's also a popular choice for those who want a design that can withstand heavy use without breaking the bank.

Overall, Alsif R is a solid option for anyone looking for a budget-friendly design that still looks great.

Iv Design Alternatives

A Man Looking at a Computer Screen with Data
Credit: pexels.com, A Man Looking at a Computer Screen with Data

If you're looking for design alternatives, you might consider using a more minimalist approach, which can be achieved by reducing the number of elements on a page to just the essentials.

The grid system, as discussed in the "Grid Systems" section, can be a helpful tool for creating a clean and organized design.

By using a limited color palette, you can create a cohesive look and feel, as seen in the "Color Theory" section, where a bold color is used to draw attention to a key element.

The use of negative space can also be an effective alternative to traditional design elements, allowing the user's focus to be drawn to the most important parts of the page.

Incorporating user feedback into the design process can also lead to more effective design alternatives, as discussed in the "User Feedback" section, where it's mentioned that incorporating user feedback can improve the user experience by 20%.

Check this out: Feedback Loop (email)

Bits Diff Slice

Woman using a secure mobile app, showcasing data encryption on a smartphone.
Credit: pexels.com, Woman using a secure mobile app, showcasing data encryption on a smartphone.

Bits Diff Slice is a useful function for comparing two Nilsimsa digests slices.

It returns the number of bits that differ between the two slices, giving you a quick and accurate way to measure their similarity.

This function is particularly useful when working with large datasets, as it can help you identify and isolate specific differences between two sets of data.

By using Bits Diff Slice, you can efficiently compare and contrast different Nilsimsa digests, making it easier to find patterns and anomalies.

In practice, this function can be used to detect potential security threats or anomalies in network traffic by comparing Nilsimsa digests of incoming and outgoing packets.

Correlation and Analysis

In Figure 6, we can see that there is no correlation between accuracy and accumulator size, one of the hyperparameters of Nilsimsa.

The analysis shows that even with different values of accumulator size, the accuracy of LSIF-R remains the same.

Removing certain hashes like MMH3, ADLER32, FNV164, and FNVA164 from Figure 5 reveals that the rest of the hashes have very similar behavior.

Close-up of wooden blocks spelling 'encryption', symbolizing data security and digital protection.
Credit: pexels.com, Close-up of wooden blocks spelling 'encryption', symbolizing data security and digital protection.

For parameters above 1500th, the accuracy of LSIF-R reaches around 90% with all hashes.

Similar behavior is observed for other parameters such as window size, n-grams, and threshold type.

These analyzes are important as the overhead of Nilsimsa might change depending on the values of hyperparameters.

Exploring the overhead for different parameter combinations and the trade-off between accuracy and imposed overhead from parameter combinations need to be explored in the future.

Similarity Computation

The Nilsimsa similarity computation is based on the bitwise difference between two Nilsimsa hashes. Documents are considered similar if they exceed a pre-defined similarity value.

The threshold for determining similarity is quite high. For example, if 54 similar bits are found between two documents, the conflict probability is a staggering 7.39E-12.

Here's a breakdown of the similarity thresholds and their corresponding conflict probabilities:

II Locality-Sensitive Hashing

Locality-sensitive hashing (LSH) has been used in various applications, including spam detection, malware classification, genome assembling, and content-based video retrieval.

Credit: youtube.com, Learn in 5 Minutes: Locality Sensitive Hashing (MinHash, SimHash, and more!)

Brian et al. showed that LSH enables accurate and fast performance with object classification, feature matching, and content-based retrieval.

Locality-sensitive hashing was also used to recover biometric information of individuals in a corporate environment to detect information leakage and similar events.

We demonstrated the effectiveness of the LSH function Nilsimsa in identifying IoT devices and monitoring malicious activities in a network.

Our study differs from existing studies on network traffic fingerprinting by not requiring feature selection or extraction from data and not having complex hyperparameters to tune.

Locality-sensitive hashing has been applied in various fields, but our study focuses on its utilization for device identification.

Compared to our previous studies with Nilsimsa, our new approach provides an alternative implementation making the device identification system more flexible and robust to concept drifts observed in the network.

You might enjoy: Hashing

Similarity Computation

Similarity computation is a crucial step in determining the similarity between two documents. It's based on the bitwise difference between two Nilsimsa hashes.

Credit: youtube.com, Part T: Similarity Computation (Part A)

The Nilsimsa similarity is computed based on the number of similar bits between the two hashes. The more similar bits, the higher the similarity.

There are two suggested thresholds for determining similarity. One is 24 similar bits, which has a conflict probability of 1.35E-4. This was suggested by Nilsimsa's original designer.

Another threshold is 54 similar bits, which has a much lower conflict probability of 7.39E-12. This was suggested by the article's authors.

Here's a table summarizing the suggested thresholds:

Security

Spammers can apply various techniques to evade Nilsimsa's duplicate detection, including random addition, thesaurus substitutions, perceptive substitution, and aimed attacks.

Random addition requires over 300% more text to prevent detection, while thesaurus substitutions need more than 20% of the text to be replaced. Perceptive substitution requires at least 15% of the text to be altered, and aimed attacks can manipulate Nilsimsa's accumulators with just around 10% of the text.

To counter aimed attacks, which specifically target Nilsimsa, you can compute the Nilsimsa hash twice with different hash functions.

Here are some key security functions and their requirements:

  • Random addition: >300% additional text
  • Thesaurus substitutions: >20% replaced text
  • Perceptive substitution: >15% altered text
  • Aimed attacks: ~10% altered text

Hash Functions

Credit: youtube.com, 21. Cryptography: Hash Functions

Hash functions are a crucial component of the Nilsimsa algorithm, and they're used to calculate a unique digital fingerprint of a given string. This fingerprint is then used to identify similar strings.

A hash function takes an input string and produces a fixed-size string of characters, known as a hash value. This hash value is unique to the input string and can be used to quickly identify similar strings.

The Nilsimsa algorithm uses a combination of hash functions to calculate the digital fingerprint of a given string. The algorithm is designed to be highly sensitive to even small changes in the input string.

One of the key characteristics of hash functions is that they are non-invertible, meaning that it's not possible to determine the original input string from the hash value. This is a critical property of hash functions, as it ensures that the hash value is unique to the input string.

The Nilsimsa algorithm relies on the properties of hash functions to identify similar strings. By comparing the hash values of two strings, the algorithm can quickly determine whether they are similar or not.

Hash Comparison

Credit: youtube.com, python computer vision finding similar images with dhashing

Hash comparison is a crucial step in verifying the authenticity of data.

The Nilsimsa hash algorithm provides two functions to compare hash digests: BitsDiff and BitsDiffSlice.

BitsDiff compares two Nilsimsa digest arrays and returns the number of bits that differ.

This function is useful for comparing large amounts of data.

BitsDiffSlice, on the other hand, compares two Nilsimsa digests slices and returns the number of bits that differ.

This function is specifically designed for comparing specific parts of larger data sets.

Implementation

The Nilsimsa Hash algorithm is designed to be implemented using a combination of bitwise operations and arithmetic operations. It's a complex process, but I'll break it down for you.

The first step in implementing Nilsimsa Hash is to initialize the hash value to a fixed value, which is 0x9e3779b9 in hexadecimal. This value is crucial for the algorithm's functionality.

Nilsimsa Hash uses a 32-bit word size, which means it operates on 32-bit integers. This is important to keep in mind when implementing the algorithm.

An artist's illustration of artificial intelligence (AI). This image represents storage of collected data in AI. It was created by Wes Cockx as part of the Visualising AI project launched ...
Credit: pexels.com, An artist's illustration of artificial intelligence (AI). This image represents storage of collected data in AI. It was created by Wes Cockx as part of the Visualising AI project launched ...

The algorithm involves shifting and rotating the hash value, as well as performing arithmetic operations like multiplication and addition. These operations are essential for generating the final hash value.

The Nilsimsa Hash algorithm uses a total of 20 iterations to generate the final hash value. This is a key aspect of the algorithm's design.

The hash value is updated using a combination of bitwise XOR and addition operations, which are performed on the hash value and the input data. This process is repeated for each iteration.

The final hash value is a 32-bit integer, which can be represented as a hexadecimal value. This value is the output of the Nilsimsa Hash algorithm.

Melba Kovacek

Writer

Melba Kovacek is a seasoned writer with a passion for shedding light on the complexities of modern technology. Her writing career spans a diverse range of topics, with a focus on exploring the intricacies of cloud services and their impact on users. With a keen eye for detail and a knack for simplifying complex concepts, Melba has established herself as a trusted voice in the tech journalism community.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.