NETWORK SECURITY AND ANALYSISWITH PYTHON

Lee Yang Peng

Dunman High School

Singapore

DEEP Packet InspectionSearching if anything in the packet is suspicious

ANALYTICS

Motivation: Helping Deep Packet Inspection

An initial experimental study

Then I conducted experiments on them to determine their effectiveness

HEURISTICS FOR ANALYTICS

Detecting Constant Fields and Enumeration fields to learn about protocol format

Constant: Bytes that do not change data in all packets in a single protocol.

For example: {‘x00’} appears all the time. Or {‘x00’, ‘x01’, ‘x02’} in sequence

Enums: Bytes at fixed positions that changes only slightly or has a limited number of values.

For example: At position 5, only contains values within {‘x00’, ‘x01’, ‘x02’}

Constant fields in protocol headers:

Maybe…

Paddings

Protocol Version

Reserved Fields

Where pi is the probability of each value

occurring

13 May 2015

Ethernet TCP UDP

IPv4 IPv6 ICMP

IGMP(v3) ARP SMB

NBNS LLMNR DNS

SCTP OSPF

Contagio:

http://contagiodump.blogspot.sg/

• Collected data unable to simulate randomness of a

real network

• False positives will be observed

• For consistency, will mark these as incorrect during

my evaluation

• Manual analysis of the protocol header was compared against ground

truth from protocol documentation

• Mark every byte in protocol header as {Constant, Not Constant}, and

{Enum, Not Enum}

• Accuracy = (True Positives + True Negatives) / Total Header Length

• Entered these data into a table

Protocol Accuracy (Constants) Accuracy (Enums)

TCP 100% 95%

IPv4 90% 95%

Ethernet 100% 100%

IPv6 97.5% 92.5%

DNS / NetBIOS-NS / LLMNR 41.7% 91.6%

ARP 50.0% 62.5%

ICMP 100% 100%

UDP 100% 100%

OSPF 30% 80%

IGMP Version 3 50% 62.5%

SCTP 100% 100%

SMB 62.5% 84.4%

Average Accuracy 76.8% 88.6%

LIMITATIONS

• Is only useful for analyzing a single protocol

• Heuristics to detect higher level fields such as dependencies and sequence numbers are not yet implemented