1 / 19

A Framework for Packe Trace Manipulation

A Framework for Packe Trace Manipulation. Christian Kreibich. Motivation. Say you need to solve a problem that involves manipulating network traffic: complex filtering (e.g. data analysis) fine-grained editing (e.g. header field bitflips) large-scale editing (e.g. anonymization)

ruana
Download Presentation

A Framework for Packe Trace Manipulation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Framework for Packe Trace Manipulation Christian Kreibich christian.kreibich@cl.cam.ac.uk

  2. Motivation • Say you need to solve a problem that involves manipulating network traffic: • complex filtering (e.g. data analysis) • fine-grained editing (e.g. header field bitflips) • large-scale editing (e.g. anonymization) • visualization (e.g. behavioural analysis) • What do you do?

  3. Motivation II • Find a tool that does it • where? does it build? maintained? • If so, lucky you!

  4. Motivation II • Find a tool that does it • where? does it build? maintained? • If so, lucky you! • Mhmm ... invent here ... again. • Okay, pcap. • Now you typically need infrastructure: • data types conn.state tracking protocol header lookup • Lots of duplicated effort • Cut’n’paste is bad

  5. Motivation III • Current practice:

  6. Introducing ... • Netdude — NETwork DUmp Data Editor • Framework for packet inspection and manipulation • Multiple usage paradigms: GUI + command line • Scalable to arbitrary trace sizes • Reusable at all levels • Extensible

  7. Architecture

  8. Architecture

  9. Architecture

  10. Architecture

  11. Architecture

  12. Experience • Fine-grained header field modifications: • M. Handley, C. Kreibich, V. Paxson: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, 9th USENIX Security Symposium, 2001 • Large-scale filtering and reassembly: • A. Moore, J. Hall, C. Kreibich, E. Harris, I. Pratt: Architecture of a Network Monitor, PAM Workshop, 2003 • Fine-grained payload editing: • C. Kreibich, J. Crowcroft: Honeycomb - Creating Intrusion Detection Signatures Using Honeypots, HotNets II, 2003

  13. Future Work Progress Chart Visual interpretation 0 1 Perceived length (normalized)

  14. Future Work Progress Chart Visual interpretation 0 1 Perceived length (normalized)

  15. Future Work Progress Chart Visual interpretation 0 1 Perceived length (normalized)

  16. Future Work • Lots to do: • Packet resizing  Less coding  Scriptability Progress Chart Visual interpretation 0 1 Perceived length (normalized)

  17. Don’t get me wrong ...  I

  18. Summary • System detects patterns in network traffic • Using honeypots, the system can create useful signatures • Good at worm detection • Todo list • Ability to control LCS algorithm (whitelisting?) • Tests with higher traffic volume • Experiment with approximate matching • Better signature reporting scheme

  19. Thanks! • Shoutouts to all contributors! • Debian packagers needed ... • Questions?

More Related