Upload
pycontw
View
925
Download
1
Embed Size (px)
Citation preview
NETWORK SECURITY AND ANALYSISWITH PYTHON
Lee Yang Peng
Dunman High School
Singapore
DEEP Packet InspectionSearching if anything in the packet is suspicious
ANALYTICS
Motivation: Helping Deep Packet Inspection
An initial experimental study
Then I conducted experiments on them to determine their effectiveness
HEURISTICS FOR ANALYTICS
Detecting Constant Fields and Enumeration fields to learn about protocol format
Constant: Bytes that do not change data in all packets in a single protocol.
For example: {‘x00’} appears all the time. Or {‘x00’, ‘x01’, ‘x02’} in sequence
Enums: Bytes at fixed positions that changes only slightly or has a limited number of values.
For example: At position 5, only contains values within {‘x00’, ‘x01’, ‘x02’}
Constant fields in protocol headers:
Maybe…
Paddings
Protocol Version
Reserved Fields
Where pi is the probability of each value
occurring
13 May 2015
Ethernet TCP UDP
IPv4 IPv6 ICMP
IGMP(v3) ARP SMB
NBNS LLMNR DNS
SCTP OSPF
• Collected data unable to simulate randomness of a
real network
• False positives will be observed
• For consistency, will mark these as incorrect during
my evaluation
• Manual analysis of the protocol header was compared against ground
truth from protocol documentation
• Mark every byte in protocol header as {Constant, Not Constant}, and
{Enum, Not Enum}
• Accuracy = (True Positives + True Negatives) / Total Header Length
• Entered these data into a table
Protocol Accuracy (Constants) Accuracy (Enums)
TCP 100% 95%
IPv4 90% 95%
Ethernet 100% 100%
IPv6 97.5% 92.5%
DNS / NetBIOS-NS / LLMNR 41.7% 91.6%
ARP 50.0% 62.5%
ICMP 100% 100%
UDP 100% 100%
OSPF 30% 80%
IGMP Version 3 50% 62.5%
SCTP 100% 100%
SMB 62.5% 84.4%
Average Accuracy 76.8% 88.6%
LIMITATIONS
• Is only useful for analyzing a single protocol
• Heuristics to detect higher level fields such as dependencies and sequence numbers are not yet implemented