FINDING AN INTRUDER IN A 10TB HAYSTACK: THE BENEFITS OF SIMILARITY SEARCHING

No ratings

Presented at First 2017 by

Thomas Dullien

A surprising number of technical questions during a larger intrusion cleanup can be phrased as "given this Y, can you find similar other Xs in this huge pile of data?". This can range from "given this malware, can you find a similar malware in this group" to questions like "given this memory page, can you find similar memory pages?". This talk will discuss areas where similarity searching is useful, and discuss why "rare" features, e.g. properties that hold only for a small number of data items, are of particular interest to the investigator.