NIST draft standard details approximate matching
The National Institute of Standards and Technology’s draft publication SP 800-168, Approximate Matching: Definition and Terminology, provides a description of approximate matching and includes requirements and considerations for testing.
Approximate matching is a technique designed to identify similarities between two digital artifacts or arbitrary byte sequences such as a file.
A similarity between two artifacts is determined by a particular approximate matching algorithm. One process the technology uses to find these similarities is resemblance. In this method, two similarly sized objects are compared and searched for common traits. For example, successive versions of a piece of code are likely to share many similarities.
A second way approximate matching measures similarities is containment. This method examines two different sized objects and determines whether the smaller one is inside the larger one, such as a file and a whole-disk image.
This technology is very useful for security monitoring and forensic analysis by filtering data. It provides a result from a range of outcomes [0, 1], which are interpreted as a level of similarity. The reliability of a result is assessed by the robustness of the algorithm, its precision, and whether the algorithm includes security properties designed to prevent attacks, as the manipulation of the matching technique.
A public comment period on Special Publication 800-168 begins on Jan. 27, 2014, and runs through March 21, 2014. Comments can be sent to firstname.lastname@example.org with “Comments on SP 800-168” on the subject line.
Posted by Mike Cipriano on Jan 31, 2014 at 7:38 AM