The Normalised Compression Distance as a File Fragment Classifier
|Document type:||Journal Articles|
|Article type:||Original article|
|Title:||The Normalised Compression Distance as a File Fragment Classifier|
|Organization:||Blekinge Institute of Technology|
|Department:||School of Computing (Sektionen för datavetenskap och kommunikation)
School of Computing S-371 79 Karlskrona
+46 455 38 50 00
|Abstract:||We have applied the generalised and universal distance measure NCD—Normalised Compression Distance—to the problem of determining the type of ﬁle fragments. To enable later comparison of the results, the algorithm was applied to fragments of a publicly available corpus of ﬁles. The NCD algorithm in conjunction with the k-nearest-neighbour (k ranging from one to ten) as the classiﬁcation algorithm was applied to a random selection of circa 3000 512-byte ﬁle fragments from 28 different ﬁle types. This procedure was then repeated ten times. While the overall accuracy of the n-valued classiﬁcation only improved the prior probability from approximately 3.5% to circa 32%–36%, the classiﬁer reached accuracies of circa 70% for the most successful ﬁle types.
A prototype of a ﬁle fragment classiﬁer was then developed and evaluated on new set of data (from the same corpus). Some circa 3000 fragments were selected at random
and the experiment repeated ﬁve times. This prototype classiﬁer remained successful at classifying individual ﬁle types with accuracies ranging from only slightly lower than 70% for the best class, down to similar accuracies as in the prior experiment.
|Subject:||Computer Science\Electronic security
Computer Science\Artificial Intelligence