a framework for packe trace manipulation
DESCRIPTION
A Framework for Packe Trace Manipulation. Christian Kreibich. Motivation. Say you need to solve a problem that involves manipulating network traffic: complex filtering (e.g. data analysis) fine-grained editing (e.g. header field bitflips) large-scale editing (e.g. anonymization) - PowerPoint PPT PresentationTRANSCRIPT
Motivation Say you need to solve a problem that involves
manipulating network traffic:complex filtering (e.g. data analysis) fine-grained editing (e.g. header field bitflips) large-scale editing (e.g. anonymization)visualization (e.g. behavioural analysis)
What do you do?
Motivation II Find a tool that does it
where? does it build? maintained? If so, lucky you!
Motivation II Find a tool that does it
where? does it build? maintained? If so, lucky you!
Mhmm ... invent here ... again.Okay, pcap.Now you typically need infrastructure:
data types conn. state tracking protocol header lookup
Lots of duplicated effortCut’n’paste is bad
Motivation III Current practice:
Introducing ... Netdude — NETwork DUmp Data Editor Framework for packet inspection and manipulation Multiple usage paradigms: GUI + command line Scalable to arbitrary trace sizes Reusable at all levels Extensible
Architecture
Architecture
Architecture
Architecture
Architecture
Experience Fine-grained header field modifications:
M. Handley, C. Kreibich, V. Paxson: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, 9th USENIX Security Symposium, 2001
Large-scale filtering and reassembly: A. Moore, J. Hall, C. Kreibich, E. Harris, I. Pratt: Architecture of a
Network Monitor, PAM Workshop, 2003
Fine-grained payload editing: C. Kreibich, J. Crowcroft: Honeycomb - Creating Intrusion
Detection Signatures Using Honeypots, HotNets II, 2003
Future Work
Perceived length (normalized)
Vis
ual i
nter
pret
atio
n
Progress Chart
0 1
Future Work
Perceived length (normalized)
Vis
ual i
nter
pret
atio
n
Progress Chart
0 1
Future Work
Perceived length (normalized)
Vis
ual i
nter
pret
atio
n
Progress Chart
0 1
Future Work
Lots to do:Packet resizing Less coding Scriptability
Perceived length (normalized)
Vis
ual i
nter
pret
atio
n
Progress Chart
0 1
Don’t get me wrong ...
I
Summary System detects patterns in network traffic Using honeypots, the system can create useful
signatures Good at worm detection Todo list
Ability to control LCS algorithm (whitelisting?)Tests with higher traffic volumeExperiment with approximate matchingBetter signature reporting scheme
Thanks!
Shoutouts to all contributors! Debian packagers needed ... Questions?