A Framework for Packe Trace Manipulation Christian Kreibich.

Slides:



Advertisements
Similar presentations
Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Advertisements

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
Connect. Communicate. Collaborate Click to edit Master title style MODULE 1: perfSONAR TECHNICAL OVERVIEW.
Tracking the Role of Adversaries in Measuring Unwanted Traffic Mark Allman(ICSI) Paul Barford(Univ. Wisconsin) Balachander Krishnamurthy(AT&T Labs - Research)
Hash-Based IP Traceback Best Student Paper ACM SIGCOMM’01.
Yan Chen Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University
Application Identification in information-poor environments Charalampos Rotsos 02/02/20101 What is application identification Current status My work Future.
Snort - an network intrusion prevention and detection system Student: Yue Jiang Professor: Dr. Bojan Cukic CS665 class presentation.
IDS Colloquium 2001John Kristoff - DePaul University1 Intrusion Detection Systems (IDS) John Kristoff DePaul University.
IT Security Doug Brown Jeff Bollinger. What is security? P.H.P. People Have Problems Security is the mitigation and remediation of human error in information.
1 Applications of Data Mining in Banking Maria Luisa Barja Jesús Cerquides Ubilab IT Laboratory UBS AG.
Automated Worm Fingerprinting Sumeet Singh, Cristian Estan, George Varghese, and Stefan Savage Manan Sanghi.
Managing Agent Platforms with the Simple Network Management Protocol Brian Remick Thesis Defense June 26, 2015.
NetFlow Analyzer Drilldown to the root-QoS Product Overview.
Security administrators The experts need better tools too!
Intrusion Detection/Prevention Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality,
Internet Worms Paxson, Asanovic, Dharmapurikar, Lockwood, Pang, Sommer, Weaver Rethinking Hardware Support for Network Analysis and Intrusion Prevention.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
Intrusion Detection System Marmagna Desai [ 520 Presentation]
A Survey on Interfaces to Network Security
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
1 Integrating a Network IDS into an Open Source Cloud Computing Environment 1st International Workshop on Security and Performance in Emerging Distributed.
Workpackage 3 New security algorithm design ICS-FORTH Heraklion, 3 rd June 2009.
Survey – IDS Testing Marmagna Desai [ 592 Presentation]
ICS-FORTH WISDOM Workpackage 3: New security algorithm design FORTH-ICS The next six months Cork, 29 January 2007.
Honeycomb Automated IDS Signature Generation using Honeypots Christian Kreibich Jon Crowcroft.
Detecting Backdoors and Stepping Stones Yin Zhang Cornell University Vern Paxson ACIRI/LBNL 9 th USENIX Security Symposium.
Toward Self-directed Intrusion Detection Paul Barford Assistant Professor Computer Science University of Wisconsin June, 2005.
Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
COEN 252: Computer Forensics Network Analysis and Intrusion Detection with Snort.
A Framework for Packe Trace Manipulation Christian Kreibich.
DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.
Vladimír Smotlacha CESNET Full Packet Monitoring Sensors: Hardware and Software Challenges.
1Of 25. 2Of 25  Definition  Advantages & Disadvantages  Types  Level of interaction  Honeyd project: A Virtual honeypot framework  Honeynet project:
A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.
TASHKENT UNIVERSITY OF INFORMATION TECHNOLOGIES Lesson №18 Telecommunication software design for analyzing and control packets on the networks by using.
Module 7: Advanced Application and Web Filtering.
Polygraph: Automatically Generating Signatures for Polymorphic Worms James Newsome, Brad Karp, and Dawn Song Carnegie Mellon University Presented by Ryan.
DTRAB Combating Against Attacks on Encrypted Protocols through Traffic- Feature Analysis.
HoneyComb HoneyComb Automated IDS Signature Generation using Honeypots Prepare by LIW JIA SENG Supervisor : AP. Dr. Mohamed Othman.
Botnets Usman Jafarey Including slides from The Zombie Roundup by Cooke, Jahanian, McPherson of the University of Michigan.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
A Security Framework with Trust Management for Sensor Networks Zhiying Yao, Daeyoung Kim, Insun Lee Information and Communication University (ICU) Kiyoung.
Chapter 9 Networking & Distributed Security (Part C)
MiniDraw Introducing a Framework... and a few patterns.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Polygraph: Automatically Generating Signatures for Polymorphic Worms Authors: James Newsome (CMU), Brad Karp (Intel Research), Dawn Song (CMU) Presenter:
1 Minneapolis‘ IETF IPFIX Aggregation draft-dressler-ipfix-aggregation-00.txt.
CS5261 Information Security CS 526 Topic 15 Malware Defense & Intrusion Detection Topic 15: Malware Defense.
Active Mapping: Resisting NIDS Evasion Without Altering Traffic Authors: Umesh Shankar (UC – Berkeley) & Vern Paxson (ICSI) Network Intrusion Detection:
DOWeR Detecting Outliers in Web Service Requests Master’s Presentation of Christian Blass.
By: Surapheal Belay ITEC 6322 / Spring ABSTRACT NIST , guide to intrusion detection and prevention systems (IDPS), discusses four types of.
Snort – IDS / IPS.
B-TECH PROJECT MID-SEM PRESENTATION 2011
POLYGRAPH: Automatically Generating Signatures for Polymorphic Worms
A Framework for Object-Based Event Composition in Distributed Systems
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
IPv6 / IP Next Generation
James Logan CS526 Dr. Chow April 29, 2009
NetFlow Analysis with Elastic Stack
12/6/2018 Honeypot ICT Infrastructure Sashan
Towards Unified Management
Vern Paxson (ICSI) Krste Asanovic (MIT)
Presentation transcript:

A Framework for Packe Trace Manipulation Christian Kreibich

Motivation  Say you need to solve a problem that involves manipulating network traffic:  complex filtering (e.g. data analysis)  fine-grained editing (e.g. header field bitflips)  large-scale editing (e.g. anonymization)  visualization (e.g. behavioural analysis)  What do you do?

Motivation II  Find a tool that does it  where?  does it build?  maintained?  If so, lucky you!

Motivation II  Find a tool that does it  where?  does it build?  maintained?  If so, lucky you!  Mhmm... invent here... again.  Okay, pcap.  Now you typically need infrastructure:  data types  conn. state tracking  protocol header lookup  Lots of duplicated effort  Cut’n’paste is bad

Motivation III  Current practice:

Introducing...  Netdude — NETwork DUmp Data Editor  Framework for packet inspection and manipulation  Multiple usage paradigms: GUI + command line  Scalable to arbitrary trace sizes  Reusable at all levels  Extensible

Architecture

Experience  Fine-grained header field modifications:  M. Handley, C. Kreibich, V. Paxson: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics, 9th USENIX Security Symposium, 2001  Large-scale filtering and reassembly:  A. Moore, J. Hall, C. Kreibich, E. Harris, I. Pratt: Architecture of a Network Monitor, PAM Workshop, 2003  Fine-grained payload editing:  C. Kreibich, J. Crowcroft: Honeycomb - Creating Intrusion Detection Signatures Using Honeypots, HotNets II, 2003

Future Work Perceived length (normalized) Visual interpretation Progress Chart 01

Future Work Perceived length (normalized) Visual interpretation Progress Chart 01

Future Work Perceived length (normalized) Visual interpretation Progress Chart 01

Future Work  Lots to do:  Packet resizing  Less coding  Scriptability Perceived length (normalized) Visual interpretation Progress Chart 01

Don’t get me wrong... I

Summary  System detects patterns in network traffic  Using honeypots, the system can create useful signatures  Good at worm detection  Todo list  Ability to control LCS algorithm (whitelisting?)  Tests with higher traffic volume  Experiment with approximate matching  Better signature reporting scheme

Thanks!  Shoutouts to all contributors!  Debian packagers needed...  Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.