Project proposal/idea: Categorize traffic by behavior

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Back in 2003/2004 when finding the topic for my masters thesis, I had a secondary project idea, perhaps its about time to do something about the idea, and hear if anyone else thinks its a good idea?

 The basic idea is to: "Categorize traffic by behavior"

The categorization should be based upon things like packet timing characteristics and packet size, rather than standard port numbers.

The categories would be groups like Interactive, (RTP-)Stream, Bulk.

- Interactive; would have a high degree of packet inter-timing
  variants and consist of mainly small packets.

- Stream; Real Time Protocols (RTP) (used by e.g. VoIP) can be
  categorized based upon the very precise inter-packet gap (packets
  are not send back-to-back).  Imagine that it might actually be
  possible to "catch" skype voice traffic.

- Bulk; could be categorized by large packets being back-to-back.

I propose this could be implemented with Netfilter target modules for categorizing traffic, and using conntrack flows for saving the group/type, that other rules can match upon.

What can it be used for?
------------------------
Security/NIDS: Detecting backdoors, by identifying interactive on non-standard ports.

QoS: Prioritize traffic based on type (e.g. interactive or RTP-streams) without needing to write static iptables rules to match each new protocols port number. Some protocols, like Skype, its not possible to do categorizing based upon standard port numbers.

Is it possible?
---------------
I actually got the idea from two scientific papers by Vern Paxson and Yin Zhang, where they actually detect interactive traffic by timing characteristic on real-life data. They use it for detecting backdoors and stepping stones.

 http://www.icir.org/vern/papers/backdoor/

 http://www.icir.org/vern/papers/stepping/

 http://citeseer.ist.psu.edu/zhang00detecting.html

Cheers,
  Jesper Brouer
  http://www.adsl-optimizer.dk

--
-------------------------------------------------------------------
MSc. Master of Computer Science
Dept. of Computer Science, University of Copenhagen
Author of http://www.adsl-optimizer.dk
-------------------------------------------------------------------
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux