1 / 32

Yi-Lei Chang Advisor: Dr. Kai-Wei Ke 2013/06/17

分散式網路事件分析記錄系統之研製 The Design and Implementation of Distributed Network Event Analyzing and Recording System. Yi-Lei Chang Advisor: Dr. Kai-Wei Ke 2013/06/17. Outline. Introduction Background System Design Compare to simulate system Demo Reference. Introduction. Network Event

tate-carver
Download Presentation

Yi-Lei Chang Advisor: Dr. Kai-Wei Ke 2013/06/17

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 分散式網路事件分析記錄系統之研製The Design and Implementation of Distributed Network Event Analyzing and Recording System Yi-Lei Chang Advisor: Dr. Kai-Wei Ke 2013/06/17

  2. Outline • Introduction • Background • System Design • Compare to simulate system • Demo • Reference

  3. Introduction • Network Event • An observable occurrence on network that can be recognize as a specific protocol activity or behavior (e.g., FTP Login, HTTP web browse). • System Goals • Record and analyze network event • FTP • HTTP • VoIP • Abnormal behavior • Distributed system • High flexibility and extensibility

  4. Background - Jpcap • Packages • Jpcap • JpcapCaptor • PacketReceiver • Jpcap.packet • ARPPacket • ICMPPacket • IPPacket • TCPPacket • UDPPacket

  5. Background - Jpcap

  6. System Design

  7. Interception System • Capture packets • Track relative connections • Record supported network event

  8. Packet Capture • Receive packets from NIC in promiscuous mode • Set basic packet filter • IP • ARP • Not Interception System’s IP • Add packets to PacketPool

  9. Packet Pool • Maintain all packets capture by PacketCapture • Each ProtocolParser register to PacketPoolhave a random integer key to access it’spacket list iterator • Remove useless packets when buffer full • Synchronize needed

  10. Protocol Parser • Abstract class ProtocolParser implements Runnable • Define basic steps for a standard protocol parser • Implement Runnable.run() with 4 abstract function called in sequence • isRelative() • processPacket() • isContinue() • endProcess() • The implementation of these abstraction function will change the use of class extends ProtocolParser(e.g., FTPProtocolParser).

  11. Protocol Parser

  12. Protocol Parser - FTP • Relative: port 21 • Process: • Create a connection key“clientIP|clientPort|hostIP|hostPort”for identify every FTP command connection • For every unhandled FTP connection create FTP command Parser • Continue: always • Ending process: unregister with PacketPool

  13. Protocol Parser - FTP

  14. Protocol Parser – FTP command • Relative: specific connection represent by connection key • Process: • USER/PASS/230 – login event • PORT/227 – tract data connection • STOR/RETR – create FTP recorder to record transmitted file • Continue: • Connection not close • Connection not idle • Ending process: • Unregister with PacketPool • Remove handled state in FTP Parser

  15. Protocol Parser – FTP command

  16. Protocol Parser – FTP recorder • Relative: specific connection and direction represent IP and Port • Process: • Put data packet to TCPReorderBuffer • Set acknowledge number for TCPReorderBuffer to reference • While buffer full flush data to file • Continue: • Connection not close • Connection not idle • Ending process: • Unregister with PacketPool • Flush all remain data in buffer to file • Log file transmit event into DB

  17. Protocol Parser – FTP recorder

  18. TCPReordreBuffer • A buffer can store jpcap.packetTCPPacket and reorder packet’s data by sequence • Put: • TCPPacket • ack_number • Get: • in order packet TCP payload in byte array • Missing part info

  19. TCPReordreBuffer - put

  20. TCPReordreBuffer - get

  21. Protocol Parser - HTTP • Relative: port 80 • Process: • Create a connection key“clientIP|clientPort|hostIP|hostPort”for identify every HTTP connection • For every unhandled HTTP connection create HTTP recorder • Continue: always • Ending process: unregister with PacketPool

  22. Protocol Parser – HTTP recorder • Relative: specific connection specific connection represent by connection key • Process: • Put data packet to TCPReorderBuffer • Set acknowledge number for TCPReorderBuffer to reference • Cut HTTP header, record header information • Log HTTP event into DB • Store HTTP body into DB if its not too big • Continue: • Connection not close • Connection not idle • Ending process: • Unregister with PacketPool • Flush all remain data in buffer to file • Log file transmit event into DB

  23. Protocol Parser H.323 • Relative: port 1719(H.323RAS), port 1720(Q.931/H.225) • Process: • Maintain device list using gatekeeper RAS message • For every unhandled H245 connection create H245 Parser • Continue: always • Ending process: • Unregister with PacketPool

  24. Protocol Parser H.245 • Relative: specific connection represent by connection key • Process: • While openlogicchannel message detected, create RTP recorder • Continue: • Disconnect message undetected • Connection not idle • Ending process: • Unregister with PacketPool • Log calling event into DB

  25. Protocol Parser RTP • Relative: specific UDP packet with specific source and destination • Process: • Record RTP content • Real-time decode/play if needed • Continue: • Disconnect message undetected • Connection not idle • Ending process: • Unregister with PacketPool

  26. Protocol Parser - Abnormal behavior • Relative: ICMP Packet, ARP Packet, TCP SYN packet • Process: • ICMP ping attack • Count ICMP packet for both source and destination • If > 3 ping packet/sec log ping attack event into DB • ARP attack • Record MAC/IP mappings • If MAC/IP mappings changing > 10 times/min log ARP attack event into DB • TCP SYN packet • Record SYN request, remove when 3 way established • If to many SYN request unestablished log SYN attack event into DB • Continue: always • Ending process: Unregister with PacketPool

  27. Analyzing and Recording System • HTML page recovery • PCM decode • File storage and presentation

  28. Analyzing and Recording System - HTTP Analyzer • Search http response with content-type text/html to get html page file • Search [src=“”] pattern in html file • Search relative http request in DB • Recover/rename relative file and replace links in html file • Cross match DB and html file to recover as much as possible

  29. Improvement • FTP active/passive mode, upload, download support • HTTP absolute direct link resolve • H.323 support • Better program structure with higher flexibility and extendibility

  30. Compare to other system

  31. Demo

  32. Reference • [1]林佑民,「基於雲端運算之網路通訊監察分析系統之研製」,碩士論文,國立台北科技大學資訊工程系碩士班,2012 • [2]黃威穎,「H.323網路電話音訊監控與錄製系統之研製」,碩士論文國立台北科技大學資訊工程系碩士班,2008

More Related