FiFTy: Large-Scale File Fragment Type Identification Using Convolutional Neural Networks

Govind Mittal; Pawel Korus; Nasir Memon

doi:10.1109/TIFS.2020.3004266

FiFTy: Large-Scale File Fragment Type Identification Using Convolutional Neural Networks

Govind Mittal, Pawel Korus, Nasir Memon

Center for Cyber Security

Research output: Contribution to journal › Article › peer-review

Abstract

We present FiFTy, a modern file-type identification tool for memory forensics and data carving. In contrast to previous approaches based on hand-crafted features, we design a compact neural network architecture, which uses a trainable embedding space. Our approach dispenses with the explicit feature extraction which has been a bottleneck in legacy systems. We evaluate the proposed method on a novel dataset with 75 file-types - the most diverse and balanced dataset reported to date. FiFTy consistently outperforms all baselines in terms of speed, accuracy and individual misclassification rates. We achieved an average accuracy of 77.5% with processing speed of ≈38 sec/GB, which is better and more than an order of magnitude faster than the previous state-of-the-art tool - Sceadan (69% at 9 min/GB). Our tool and the corresponding dataset is open-source.

Original language	English (US)
Article number	9122499
Pages (from-to)	28-41
Number of pages	14
Journal	IEEE Transactions on Information Forensics and Security
Volume	16
DOIs	https://doi.org/10.1109/TIFS.2020.3004266
State	Published - 2021

Keywords

File-type classification
carving
convolutional neural network
machine learning
memory forensics

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Computer Networks and Communications

Access to Document

10.1109/TIFS.2020.3004266

Cite this

@article{f98783f8fb5242db868378866eba248b,

title = "FiFTy: Large-Scale File Fragment Type Identification Using Convolutional Neural Networks",

abstract = "We present FiFTy, a modern file-type identification tool for memory forensics and data carving. In contrast to previous approaches based on hand-crafted features, we design a compact neural network architecture, which uses a trainable embedding space. Our approach dispenses with the explicit feature extraction which has been a bottleneck in legacy systems. We evaluate the proposed method on a novel dataset with 75 file-types - the most diverse and balanced dataset reported to date. FiFTy consistently outperforms all baselines in terms of speed, accuracy and individual misclassification rates. We achieved an average accuracy of 77.5% with processing speed of ≈38 sec/GB, which is better and more than an order of magnitude faster than the previous state-of-the-art tool - Sceadan (69% at 9 min/GB). Our tool and the corresponding dataset is open-source.",

keywords = "File-type classification, carving, convolutional neural network, machine learning, memory forensics",

author = "Govind Mittal and Pawel Korus and Nasir Memon",

note = "Funding Information: Manuscript received August 9, 2019; revised January 1, 2020 and June 5, 2020; accepted June 6, 2020. Date of publication June 22, 2020; date of current version July 27, 2020. This work was supported in part by New York University (NYU) Abu Dhabi, United Arab Emirates. The associate editor coordinating the review of this manuscript and approving it for publication was Prof. Luisa Verdoliva. (Corresponding author: Pawe{\l} Korus.) Govind Mittal and Nasir Memon are with the Center for Cybersecurity, New York University Tandon School of Engineering, Brooklyn Borough, NY 11201 USA (e-mail: mittal@nyu.edu; memon@nyu.edu). Publisher Copyright: {\textcopyright} 2005-2012 IEEE.",

year = "2021",

doi = "10.1109/TIFS.2020.3004266",

language = "English (US)",

volume = "16",

pages = "28--41",

journal = "IEEE Transactions on Information Forensics and Security",

issn = "1556-6013",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

}

TY - JOUR

T1 - FiFTy

T2 - Large-Scale File Fragment Type Identification Using Convolutional Neural Networks

AU - Mittal, Govind

AU - Korus, Pawel

AU - Memon, Nasir

N1 - Funding Information: Manuscript received August 9, 2019; revised January 1, 2020 and June 5, 2020; accepted June 6, 2020. Date of publication June 22, 2020; date of current version July 27, 2020. This work was supported in part by New York University (NYU) Abu Dhabi, United Arab Emirates. The associate editor coordinating the review of this manuscript and approving it for publication was Prof. Luisa Verdoliva. (Corresponding author: Paweł Korus.) Govind Mittal and Nasir Memon are with the Center for Cybersecurity, New York University Tandon School of Engineering, Brooklyn Borough, NY 11201 USA (e-mail: mittal@nyu.edu; memon@nyu.edu). Publisher Copyright: © 2005-2012 IEEE.

PY - 2021

Y1 - 2021

N2 - We present FiFTy, a modern file-type identification tool for memory forensics and data carving. In contrast to previous approaches based on hand-crafted features, we design a compact neural network architecture, which uses a trainable embedding space. Our approach dispenses with the explicit feature extraction which has been a bottleneck in legacy systems. We evaluate the proposed method on a novel dataset with 75 file-types - the most diverse and balanced dataset reported to date. FiFTy consistently outperforms all baselines in terms of speed, accuracy and individual misclassification rates. We achieved an average accuracy of 77.5% with processing speed of ≈38 sec/GB, which is better and more than an order of magnitude faster than the previous state-of-the-art tool - Sceadan (69% at 9 min/GB). Our tool and the corresponding dataset is open-source.

AB - We present FiFTy, a modern file-type identification tool for memory forensics and data carving. In contrast to previous approaches based on hand-crafted features, we design a compact neural network architecture, which uses a trainable embedding space. Our approach dispenses with the explicit feature extraction which has been a bottleneck in legacy systems. We evaluate the proposed method on a novel dataset with 75 file-types - the most diverse and balanced dataset reported to date. FiFTy consistently outperforms all baselines in terms of speed, accuracy and individual misclassification rates. We achieved an average accuracy of 77.5% with processing speed of ≈38 sec/GB, which is better and more than an order of magnitude faster than the previous state-of-the-art tool - Sceadan (69% at 9 min/GB). Our tool and the corresponding dataset is open-source.

KW - File-type classification

KW - carving

KW - convolutional neural network

KW - machine learning

KW - memory forensics

UR - http://www.scopus.com/inward/record.url?scp=85089874236&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85089874236&partnerID=8YFLogxK

U2 - 10.1109/TIFS.2020.3004266

DO - 10.1109/TIFS.2020.3004266

M3 - Article

AN - SCOPUS:85089874236

SN - 1556-6013

VL - 16

SP - 28

EP - 41

JO - IEEE Transactions on Information Forensics and Security

JF - IEEE Transactions on Information Forensics and Security

M1 - 9122499

ER -

FiFTy: Large-Scale File Fragment Type Identification Using Convolutional Neural Networks

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this