Ruoming Pang (Joint work with Vern Paxson), Princeton University and ICSI Center for Internet Research
rpang@cs.princeton.edu
Abstract
Network intrusion detection research suffers from a dearth of publicly
available traces of real attacks buried within much larger, real non-attacks.
Such traces are invaluable for assessing the operational utility of new
detection methods, but traces of actual traffic are almost never made
available due to the problem of needing to remove sensitive data in the
trace while still preserving non-sensitive packet contents. We observe
a key problem is that such trace transformation requires knowledge of the
semantics for each data element in the trace; for example, changing "root"
when it's a username, but not when it's a filename.
We have developed a "trace rewriter", based on Bro, an intrusion detection
system capable of analyzing the semantic structure of a tcpdump trace by
converting various protocols into structured data elements. With the
semantic structure of a trace exposed, we can then use a script written
in Bro's high-level scripting language to transform each data element in
a semantics-aware way according to desired policies. The trace rewriter
then maps the transformed data back into a new tcpdump trace file, keeping
the original packet structure whenever possible. Our experience with a few
network protocols suggests that it provides a convenient framework for
users to write concise yet powerful trace transformation scripts according
to their policies. Because the user scripts deal with structured data fields
instead of raw byte streams as input, they needn't worry about the syntax
of protocols. The framework also enables other kinds of trace transformations
in addition to anonymization. I will also talk about the issues that have
come up and design decisions we made, particularly on how we map transformed
data fields back to the trace, and offer preliminary thoughts on how to
verify the transformation.
URL: