Abstract
A TCPdump file captures not only packets but also various “properties” related to the live TCP sessions on the Internet. It is still an open problem to identify all the possible properties, if ever possible, and more importantly, which properties really matter for the consumers of this particular TCPdump file and how they are related to each other. However, it is quite clear that existing traffic replay tools, for the purpose of system evaluation, such as TCPreplay destroyed at least some of critical properties such as “ghost acknowledgment” (while the origin packet has never been delivered), which is a critical issue in conducting experimental evaluations for intrusion detection systems. In this paper, we present a software tool to transform an existing TCPdump file into another traffic file with different “properties”. For instance, if the original traffic is being captured in a laboratory environment, the new file might “appear” to be captured in between US and Sweden. The transformation we have done here is “heuristically consistent” as there might be some hidden properties still being destroyed in the transformation process. One interesting application of our tool is to build long-term profiles to detect anomalous TCP attacks without really running the target application over the Internet. While, in this paper, we only focus on property-oriented traffic transformation, we have built and evaluated an interactive version of this tool, called TCPopera, to evaluate commercial intrusion prevention systems.
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
The TCPDUMP homepage, http://www.tcpdump.org/ (Accessed March 14, 2005)
The TCPREPLAY & FLOWRELAY homepage, http://tcpreplay.sourceforge.net/ (Accessed March 14, 2005)
Bajcsy, R., Benzel, T., Bishop, M., Braden, B., Brodley, C., Fahmy, S., Floyd, S., Hardaker, W., Joseph, A., Kesidis, G., Levitt, K., Lindell, B., Liu, P., Miller, D., Mundy, R., Neuman, C., Ostrenga, R., Paxson, V., Porras, P., Rosenberg, C., Tygar, J.D., Sastry, S., Sterne, D., Wu, S.F.: Cyber defense technology networking and evaluation. Commun. ACM 47(3), 58–61 (2004)
MIT Lincoln Labs. DARPA Intrusion Detection Evaluation, http://www.ll.mit.edu/IST/ideval/ (Accessed March 13, 2005)
Uhlig, S.: Simulating Interdomain Traffic at the Flow-Level. University of Namur, Belgium, TR-2001-11 (2001)
Feldmann, A., Greenberg, A., Lund, C., Reingold, N., Rexford, J.: NetScope: Traffic engineering for IP Networks. IEEE Network, 11–19 (March/April 2000)
Rippman, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA off-line intrusion detection evaluation. Computer Networks 34(4), 579–595 (2000)
McHugh, J.: Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory. ACM Transactions on Information and System Security 3(4), 262–294 (2000)
Mahoney, M., Chan, P.: An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003)
Leland, W.E., Taggu, M.S., Willinger, W., Wilson, D.V.: On the self-similar nature of Ethernet traffic (extended version). IEEE/ACM Transactions on Networking 2(1), 1–15 (1994)
Paxon, V., Floyd, S.: Wide area traffic: The failure of Poisson modeling. IEEE/ACM Transactions on Networking 3(3), 226–244 (1995)
Park, K., Willinger, W.: Self-Similar Network Traffic and Performance Evaluation. John Wiley & Sons, Inc., Chichester (2000)
Willinger, W., Paxson, V., Taggu, M.S.: Self-similarity and Heavy Tails: Structural Modeling of Network Traffic. In: A Practical Guide to Heavy Tails: Statistical Techniques and Applications (1998)
Jain, R., Routhier, S.A.: Packet trains - measurement and a new model for computer network traffic. IEEE Journal on Selected Areas in Communications 4(6), 986–995 (1986)
Gilbert, E.N.: Capacity of a burst-noise channel. Bell System Technical Journal 39, 1253–1265 (1960)
Elliott, E.O.: Estimates of error rates for codes on burst-noise channels. Bell System Technical Journal 42, 1977–1997 (1963)
Sanneck, H., Carle, G., Koodli, R.: A framework model for packet loss metrics based on loss runlengths. In: SPIE/ACM SIGMM Multimedia computing and Networking Conference (January 2000)
Iannaccone, G., Diot, C., Boutremans, C.: Impact of link failures on VoIP performance. EPFL-DI-ICA, IC/2002/015 (2002)
Altman, E., Avrachenkov, K., Barakat, C.: TCP in presence of bursty losses. In: Measurement and Modeling of Computer Systems, pp. 124–133 (2000)
Yajnik, M., Moon, S.B., Kurose, J.F., Towsley, D.F.: Measurement and Modeling of the Temporal Dependence in Packet Loss. In: INFOCOM, pp. 345–352 (1999)
Clark, A.D.: Modeling the Effects of Burst Packet Loss and Recency on Subjective Voice. In: IPtel 2001 Workshop (2001)
Jiang, W.: QoS Measurement and Management for Internet Real-time Multimedia Services. Columbia University, PHD Thesis (2003)
Anderson, D., Frivold, T., Valdes, A.: Next-generation Intrusion Detection Expert System (NIDES): A Summary. SRI International, SRI-CSL-95-07 (1995)
Stevens, R.W.: TCP/IP Illustrated. The Protocols, vol. 1. Addison-Wesley, Reading (1994)
Stevens, R.W.: TCP/IP Illustrated. The Implementation, vol. 2. Addison-Wesley, Reading (1995)
The LIBNET project homepage, http://www.packetfactory.net/libnet/ (Accessed March 16, 2005)
The libpcap project homepage, http://sourceforge.net/projects/libpcap/ (Accessed March 14, 2005)
Jacobson, V.: Congestion avoidance and control. SIGCOMM Comput. Commun. Rev. 18(4), 314–329 (1988)
Jacobson, V.: Berleley TCP Evolution from 4.3-Tahoe to 4.3-Reno. In: Proceedings of the Eighteenth Internet Engineering Task Force, University of British Columbia, Vancouver, Canada (1990)
Jacobson, V.: Modified TCP Congestion Avoidance Algorithm. End2end-interest mailing list (1990)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Hong, SS. et al. (2005). TCPtransform: Property-Oriented TCP Traffic Transformation. In: Julisch, K., Kruegel, C. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. Lecture Notes in Computer Science, vol 3548. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11506881_14
Download citation
DOI: https://doi.org/10.1007/11506881_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26613-6
Online ISBN: 978-3-540-31645-9
eBook Packages: Computer ScienceComputer Science (R0)