A Framework for Packe Trace Manipulation - PowerPoint PPT Presentation

About This Presentation
Title:

A Framework for Packe Trace Manipulation

Description:

Say you need to solve a problem that involves manipulating ... Hall, C. Kreibich, E. Harris, I. Pratt: Architecture of a Network Monitor, PAM Workshop, 2003 ... – PowerPoint PPT presentation

Number of Views:22
Avg rating:3.0/5.0
Slides: 20
Provided by: HomerS8
Learn more at: http://www.icir.org
Category:

less

Transcript and Presenter's Notes

Title: A Framework for Packe Trace Manipulation


1
A Framework for Packe Trace Manipulation
  • Christian Kreibich

2
Motivation
  • Say you need to solve a problem that involves
    manipulating network traffic
  • complex filtering (e.g. data analysis)
  • fine-grained editing (e.g. header field bitflips)
  • large-scale editing (e.g. anonymization)
  • visualization (e.g. behavioural analysis)
  • What do you do?

3
Motivation II
  • Find a tool that does it
  • where? ?does it build? ?maintained?
  • If so, lucky you!

4
Motivation II
  • Find a tool that does it
  • where? ?does it build? ?maintained?
  • If so, lucky you!
  • Mhmm ... invent here ... again.
  • Okay, pcap.
  • Now you typically need infrastructure
  • data types ?conn. state tracking ?protocol
    header lookup
  • Lots of duplicated effort
  • Cutnpaste is bad

5
Motivation III
  • Current practice

6
Introducing ...
  • Netdude NETwork DUmp Data Editor
  • Framework for packet inspection and manipulation
  • Multiple usage paradigms GUI command line
  • Scalable to arbitrary trace sizes
  • Reusable at all levels
  • Extensible

7
Architecture
8
Architecture
9
Architecture
10
Architecture
11
Architecture
12
Experience
  • Fine-grained header field modifications
  • M. Handley, C. Kreibich, V. Paxson Network
    Intrusion Detection Evasion, Traffic
    Normalization, and End-to-End Protocol Semantics,
    9th USENIX Security Symposium, 2001
  • Large-scale filtering and reassembly
  • A. Moore, J. Hall, C. Kreibich, E. Harris, I.
    Pratt Architecture of a Network Monitor, PAM
    Workshop, 2003
  • Fine-grained payload editing
  • C. Kreibich, J. Crowcroft Honeycomb - Creating
    Intrusion Detection Signatures Using Honeypots,
    HotNets II, 2003

13
Future Work
Progress Chart
Visual interpretation
0
1
Perceived length (normalized)
14
Future Work
Progress Chart
Visual interpretation
0
1
Perceived length (normalized)
15
Future Work
Progress Chart
Visual interpretation
0
1
Perceived length (normalized)
16
Future Work
Progress Chart
Visual interpretation
0
1
Perceived length (normalized)
  • Lots to do
  • Packet resizing ? Less coding ?
    Scriptability

17
Dont get me wrong ...
?
  • I

18
Summary
  • System detects patterns in network traffic
  • Using honeypots, the system can create useful
    signatures
  • Good at worm detection
  • Todo list
  • Ability to control LCS algorithm (whitelisting?)
  • Tests with higher traffic volume
  • Experiment with approximate matching
  • Better signature reporting scheme

19
Thanks!
  • Shoutouts to all contributors!
  • Debian packagers needed ...
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com