TCPtransform: Property-Oriented TCP Traffic Transformation

Document type: Conference Papers
Peer reviewed: Yes
Author(s): Seung-Sun Hong, Fiona Wong, Felix Wu, Bjorn Lilja, Tony Y. Jansson, Henric Johnson, Arne A. Nilsson
Title: TCPtransform: Property-Oriented TCP Traffic Transformation
Conference name: Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2005)
Year: 2005
Pagination: 222-40
ISBN: 3-540-26613-5
Publisher: Springer
City: Wien
Organization: Blekinge Institute of Technology
Department: School of Engineering - Dept. of Telecommunication Systems (Sektionen för teknik – avd. för telekommunikationssystem)
School of Engineering S- 372 25 Ronneby
+46 455 38 50 00
http://www.tek.bth.se/
Language: English
Abstract: A TCPdump file captures not only packets but also various "properties" related to the live TCP sessions on the Internet. It is still an open problem to identify all the possible properties, if ever possible, and more importantly, which properties really matter for the consumers of this particular TCPdump file and how they are related to each other. However, it is quite clear that existing traffic replay tools, for the purpose of system evaluation, such as TCPreplay destroyed at least some of critical properties such as "ghost acknowledgment" (while the origin packet has never been delivered), which is a critical issue in conducting experimental evaluations for intrusion detection systems. In this paper, we present a software tool to transform an existing TCPdump file into another traffic file with different "properties". For instance, if the original traffic is being captured in a laboratory environment, the new file might "appear" to be captured in between US and Sweden. The transformation we have done here is "heuristically consistent" as there might be some hidden properties still being destroyed in the transformation process. One interesting application of our tool is to build long-term profiles to detect anomalous TCP attacks without really running the target application over the Internet. While, in this paper, we only focus on property-oriented traffic transformation, we have built and evaluated an interactive version of this tool, called TCPopera, to evaluate commercial intrusion prevention systems.
Subject: Telecommunications\Network Security
Keywords: IDS evaluatoin, TCP Traffic dynamics, anomaly deteciton systems, realistic background traffic
Edit