Jesper Dangaard Brouer
2007-11-24 22:52:16 UTC
Back in 2003/2004 when finding the topic for my masters thesis, I had a
secondary project idea, perhaps its about time to do something about the
idea, and hear if anyone else thinks its a good idea?
The basic idea is to: "Categorize traffic by behavior"
The categorization should be based upon things like packet timing
characteristics and packet size, rather than standard port numbers.
The categories would be groups like Interactive, (RTP-)Stream, Bulk.
- Interactive; would have a high degree of packet inter-timing
variants and consist of mainly small packets.
- Stream; Real Time Protocols (RTP) (used by e.g. VoIP) can be
categorized based upon the very precise inter-packet gap (packets
are not send back-to-back). Imagine that it might actually be
possible to "catch" skype voice traffic.
- Bulk; could be categorized by large packets being back-to-back.
I propose this could be implemented with Netfilter target modules for
categorizing traffic, and using conntrack flows for saving the group/type,
that other rules can match upon.
What can it be used for?
------------------------
Security/NIDS: Detecting backdoors, by identifying interactive on
non-standard ports.
QoS: Prioritize traffic based on type (e.g. interactive or RTP-streams)
without needing to write static iptables rules to match each new protocols
port number. Some protocols, like Skype, its not possible to do
categorizing based upon standard port numbers.
Is it possible?
---------------
I actually got the idea from two scientific papers by Vern Paxson and Yin
Zhang, where they actually detect interactive traffic by timing
characteristic on real-life data. They use it for detecting backdoors and
stepping stones.
http://www.icir.org/vern/papers/backdoor/
http://www.icir.org/vern/papers/stepping/
http://citeseer.ist.psu.edu/zhang00detecting.html
Cheers,
Jesper Brouer
http://www.adsl-optimizer.dk
--
-------------------------------------------------------------------
MSc. Master of Computer Science
Dept. of Computer Science, University of Copenhagen
Author of http://www.adsl-optimizer.dk
-------------------------------------------------------------------
secondary project idea, perhaps its about time to do something about the
idea, and hear if anyone else thinks its a good idea?
The basic idea is to: "Categorize traffic by behavior"
The categorization should be based upon things like packet timing
characteristics and packet size, rather than standard port numbers.
The categories would be groups like Interactive, (RTP-)Stream, Bulk.
- Interactive; would have a high degree of packet inter-timing
variants and consist of mainly small packets.
- Stream; Real Time Protocols (RTP) (used by e.g. VoIP) can be
categorized based upon the very precise inter-packet gap (packets
are not send back-to-back). Imagine that it might actually be
possible to "catch" skype voice traffic.
- Bulk; could be categorized by large packets being back-to-back.
I propose this could be implemented with Netfilter target modules for
categorizing traffic, and using conntrack flows for saving the group/type,
that other rules can match upon.
What can it be used for?
------------------------
Security/NIDS: Detecting backdoors, by identifying interactive on
non-standard ports.
QoS: Prioritize traffic based on type (e.g. interactive or RTP-streams)
without needing to write static iptables rules to match each new protocols
port number. Some protocols, like Skype, its not possible to do
categorizing based upon standard port numbers.
Is it possible?
---------------
I actually got the idea from two scientific papers by Vern Paxson and Yin
Zhang, where they actually detect interactive traffic by timing
characteristic on real-life data. They use it for detecting backdoors and
stepping stones.
http://www.icir.org/vern/papers/backdoor/
http://www.icir.org/vern/papers/stepping/
http://citeseer.ist.psu.edu/zhang00detecting.html
Cheers,
Jesper Brouer
http://www.adsl-optimizer.dk
--
-------------------------------------------------------------------
MSc. Master of Computer Science
Dept. of Computer Science, University of Copenhagen
Author of http://www.adsl-optimizer.dk
-------------------------------------------------------------------