Similarity coefficient generators for network forensics

IP spoofing is one of the most common network threats today. While current IP Traceback techniques are capable of identifying the source of a message, they are limited by the huge number of messages that routers have to store to provide this facility. One way to reduce the storage overhead is to store the messages as indices in a Bloom filter. Current systems use Bloom filters at a router to know if a given message has gone through that router. However, often there is a need to know if a similar message has traversed through the router. This calls for similarity measures in the context of Bloom filters. In this paper, we develop such similarity measures (coefficients) in the context of two specialized Bloom filters-Hierarchical Bloom filter (HBF) and Winnowing Block Shingling (WBS). We compare the efficacy of these similarity measures with the Jaccard similarity coefficient. Simulations were carried out to evaluate the measures. The results indicate that HBF-measure is an optimistic metric and WBS-similarity is a pessimistic measure. Jaccard measure falls between the two. We propose a weighted metric that combines all the metrics and is more flexible than the individual measures.