Skip to main content
SpringerLink
Log in

TCPtransform: Property-Oriented TCP Traffic Transformation

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2005)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3548))

Abstract

A TCPdump file captures not only packets but also various “properties” related to the live TCP sessions on the Internet. It is still an open problem to identify all the possible properties, if ever possible, and more importantly, which properties really matter for the consumers of this particular TCPdump file and how they are related to each other. However, it is quite clear that existing traffic replay tools, for the purpose of system evaluation, such as TCPreplay destroyed at least some of critical properties such as “ghost acknowledgment” (while the origin packet has never been delivered), which is a critical issue in conducting experimental evaluations for intrusion detection systems. In this paper, we present a software tool to transform an existing TCPdump file into another traffic file with different “properties”. For instance, if the original traffic is being captured in a laboratory environment, the new file might “appear” to be captured in between US and Sweden. The transformation we have done here is “heuristically consistent” as there might be some hidden properties still being destroyed in the transformation process. One interesting application of our tool is to build long-term profiles to detect anomalous TCP attacks without really running the target application over the Internet. While, in this paper, we only focus on property-oriented traffic transformation, we have built and evaluated an interactive version of this tool, called TCPopera, to evaluate commercial intrusion prevention systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. The TCPDUMP homepage, http://www.tcpdump.org/ (Accessed March 14, 2005)

  2. The TCPREPLAY & FLOWRELAY homepage, http://tcpreplay.sourceforge.net/ (Accessed March 14, 2005)

  3. Bajcsy, R., Benzel, T., Bishop, M., Braden, B., Brodley, C., Fahmy, S., Floyd, S., Hardaker, W., Joseph, A., Kesidis, G., Levitt, K., Lindell, B., Liu, P., Miller, D., Mundy, R., Neuman, C., Ostrenga, R., Paxson, V., Porras, P., Rosenberg, C., Tygar, J.D., Sastry, S., Sterne, D., Wu, S.F.: Cyber defense technology networking and evaluation. Commun. ACM 47(3), 58–61 (2004)

    Article  Google Scholar 

  4. MIT Lincoln Labs. DARPA Intrusion Detection Evaluation, http://www.ll.mit.edu/IST/ideval/ (Accessed March 13, 2005)

  5. Uhlig, S.: Simulating Interdomain Traffic at the Flow-Level. University of Namur, Belgium, TR-2001-11 (2001)

    Google Scholar 

  6. Feldmann, A., Greenberg, A., Lund, C., Reingold, N., Rexford, J.: NetScope: Traffic engineering for IP Networks. IEEE Network, 11–19 (March/April 2000)

    Google Scholar 

  7. Rippman, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34(4), 579–595 (2000)

    Article  Google Scholar 

  8. McHugh, J.: Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information and System Security 3(4), 262–294 (2000)

    Article  Google Scholar 

  9. Mahoney, M., Chan, P.: An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  10. Leland, W.E., Taggu, M.S., Willinger, W., Wilson, D.V.: On the self-similar nature of Ethernet traffic (extended version). IEEE/ACM Transactions on Networking 2(1), 1–15 (1994)

    Article  Google Scholar 

  11. Paxon, V., Floyd, S.: Wide area traffic: The failure of Poisson modeling. IEEE/ACM Transactions on Networking 3(3), 226–244 (1995)

    Article  Google Scholar 

  12. Park, K., Willinger, W.: Self-Similar Network Traffic and Performance Evaluation. John Wiley & Sons, Inc., Chichester (2000)

    Book  Google Scholar 

  13. Willinger, W., Paxson, V., Taggu, M.S.: Self-similarity and Heavy Tails: Structural Modeling of Network Traffic. In: A Practical Guide to Heavy Tails: Statistical Techniques and Applications (1998)

    Google Scholar 

  14. Jain, R., Routhier, S.A.: Packet trains - measurement and a new model for computer network traffic. IEEE Journal on Selected Areas in Communications 4(6), 986–995 (1986)

    Article  Google Scholar 

  15. Gilbert, E.N.: Capacity of a burst-noise channel. Bell System Technical Journal 39, 1253–1265 (1960)

    MathSciNet  Google Scholar 

  16. Elliott, E.O.: Estimates of error rates for codes on burst-noise channels. Bell System Technical Journal 42, 1977–1997 (1963)

    Google Scholar 

  17. Sanneck, H., Carle, G., Koodli, R.: A framework model for packet loss metrics based on loss runlengths. In: SPIE/ACM SIGMM Multimedia computing and Networking Conference (January 2000)

    Google Scholar 

  18. Iannaccone, G., Diot, C., Boutremans, C.: Impact of link failures on VoIP performance. EPFL-DI-ICA, IC/2002/015 (2002)

    Google Scholar 

  19. Altman, E., Avrachenkov, K., Barakat, C.: TCP in presence of bursty losses. In: Measurement and Modeling of Computer Systems, pp. 124–133 (2000)

    Google Scholar 

  20. Yajnik, M., Moon, S.B., Kurose, J.F., Towsley, D.F.: Measurement and Modeling of the Temporal Dependence in Packet Loss. In: INFOCOM, pp. 345–352 (1999)

    Google Scholar 

  21. Clark, A.D.: Modeling the Effects of Burst Packet Loss and Recency on Subjective Voice. In: IPtel 2001 Workshop (2001)

    Google Scholar 

  22. Jiang, W.: QoS Measurement and Management for Internet Real-time Multimedia Services. Columbia University, PHD Thesis (2003)

    Google Scholar 

  23. Anderson, D., Frivold, T., Valdes, A.: Next-generation Intrusion Detection Expert System (NIDES): A Summary. SRI International, SRI-CSL-95-07 (1995)

    Google Scholar 

  24. Stevens, R.W.: TCP/IP Illustrated. The Protocols, vol. 1. Addison-Wesley, Reading (1994)

    Google Scholar 

  25. Stevens, R.W.: TCP/IP Illustrated. The Implementation, vol. 2. Addison-Wesley, Reading (1995)

    Google Scholar 

  26. The LIBNET project homepage, http://www.packetfactory.net/libnet/ (Accessed March 16, 2005)

  27. The libpcap project homepage, http://sourceforge.net/projects/libpcap/ (Accessed March 14, 2005)

  28. Jacobson, V.: Congestion avoidance and control. SIGCOMM Comput. Commun. Rev. 18(4), 314–329 (1988)

    Article  Google Scholar 

  29. Jacobson, V.: Berleley TCP Evolution from 4.3-Tahoe to 4.3-Reno. In: Proceedings of the Eighteenth Internet Engineering Task Force, University of British Columbia, Vancouver, Canada (1990)

    Google Scholar 

  30. Jacobson, V.: Modified TCP Congestion Avoidance Algorithm. End2end-interest mailing list (1990)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of California, Davis, CA, 95616, USA

    Seung-Sun Hong, Fiona Wong & S. Felix Wu

  2. Soft Center, Blekinge Institute of Technology, SE-371 79, Sweden

    Bjorn Lilja, Tony Y. Yohansson, Henric Johnson & Ame Nelsson

Authors
  1. Seung-Sun Hong
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fiona Wong
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. S. Felix Wu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bjorn Lilja
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Tony Y. Yohansson
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Henric Johnson
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Ame Nelsson
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IBM Research GmbH, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Klaus Julisch

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Hong, SS. et al. (2005). TCPtransform: Property-Oriented TCP Traffic Transformation. In: Julisch, K., Kruegel, C. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. Lecture Notes in Computer Science, vol 3548. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11506881_14

Download citation

  • DOI: https://doi.org/10.1007/11506881_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-26613-6

  • Online ISBN: 978-3-540-31645-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation