1 / 8

A Framework for Packe Trace Manipulation

A Framework for Packe Trace Manipulation. Christian Kreibich. Motivation. Say you need to solve a problem that involves manipulating network traffic: complex filtering (e.g. data analysis) fine-grained editing (e.g. header field bitflips) large-scale editing (e.g. anonymization)

carney
Download Presentation

A Framework for Packe Trace Manipulation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Framework for Packe Trace Manipulation Christian Kreibich christian.kreibich@cl.cam.ac.uk

  2. Motivation • Say you need to solve a problem that involves manipulating network traffic: • complex filtering (e.g. data analysis) • fine-grained editing (e.g. header field bitflips) • large-scale editing (e.g. anonymization) • visualization (e.g. behavioural analysis) • What do you do?

  3. Motivation II • Try to find a tool that does it • where? does it build? maintained? • If so, lucky you! • Mhmm ... write your own ... again. • Okay, pcap. • Now you typically need infrastructure: • data types conn.state tracking protocol header lookup • Lots of duplicated effort • Cut’n’paste sucks

  4. Motivation III • Ewww.

  5. Introducing ... • Netdude — NETwork DUmp Data Editor • Framework for packet inspection and manipulation

  6. Don’t get me wrong ... I

  7. Summary • System detects patterns in network traffic • Using honeypots, the system can create useful signatures • Good at worm detection • Todo list • Ability to control LCS algorithm (whitelisting?) • Tests with higher traffic volume • Experiment with approximate matching • Better signature reporting scheme

  8. Thanks! • Shoutouts:a13x hØ • No machines were harmed or compromised in the making of this presentation.

More Related