1 / 16

A Framework for Packe Trace Manipulation

A Framework for Packe Trace Manipulation. Christian Kreibich. Motivation. Say you need to solve a problem that involves manipulating network traffic: complex filtering (e.g. data analysis) fine-grained editing (e.g. header field bitflips) large-scale editing (e.g. anonymization)

creda
Download Presentation

A Framework for Packe Trace Manipulation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Framework for Packe Trace Manipulation Christian Kreibich christian.kreibich@cl.cam.ac.uk

  2. Motivation • Say you need to solve a problem that involves manipulating network traffic: • complex filtering (e.g. data analysis) • fine-grained editing (e.g. header field bitflips) • large-scale editing (e.g. anonymization) • visualization (e.g. behavioural analysis) • What do you do?

  3. Motivation II • Try to find a tool that does it • where? does it build? maintained? • If so, lucky you!

  4. Motivation II • Try to find a tool that does it • where? does it build? maintained? • If so, lucky you! • Mhmm ... write your own ... again. • Okay, pcap. • Now you typically need infrastructure: • data types conn.state tracking protocol header lookup • Lots of duplicated effort • Cut’n’paste sucks

  5. Motivation III • Ewww.

  6. Introducing ... • Netdude — NETwork DUmp Data Editor • Framework for packet inspection and manipulation • Multiple usage paradigms: GUI + command line • Scalable to arbitrary trace sizes • Reusable at all levels • Extensible

  7. Architecture

  8. Architecture

  9. Architecture

  10. Architecture

  11. Architecture

  12. Experience • Fine-grained header field modifications: • M. Handley, C. Kreibich, V. Paxson: Network Intrusion Detection: Evasion, Traffic Normalization, end End-to-End Protocol Semantics, 9th USENIX Security Symposium, 2001. • Large-scale filtering and reassembly: • A. Moore, J. Hall, C. Kreibich, E. Harris, I. Pratt: Architecture of a Network Monitor, Passive and Active Measurement Workshop, 2003 • Fine-grained payload editing: • C. Kreibich, J. Crowcroft: Honeycomb - Creating Intrusion Detection Signatures Using Honeypots, HotNets II, 2003

  13. Future Work • hehe

  14. Don’t get me wrong ...  I

  15. Summary • System detects patterns in network traffic • Using honeypots, the system can create useful signatures • Good at worm detection • Todo list • Ability to control LCS algorithm (whitelisting?) • Tests with higher traffic volume • Experiment with approximate matching • Better signature reporting scheme

  16. Thanks! • Shoutouts to all contributors! • Debian packagers needed ... • Questions?

More Related