Research

How do we tell if 1 network defense mechanism, such as an IDS or a firewall, is better than another?

We need realistic background traffic generated from actual traces, in order to overcome the pitfalls of using purely generated traffic and other unrealistic assumptions in previous efforts. But when using Internet traces, there is a tradeoff between realism and protecting users' privacy. Using traces for the purpose of testing for attacks instead of for other purposes means that certain properties of the trace must be preserved in order to be useful.

Payloads must be included. IP address anonymization should be prefix-preserving. Because our aim is to preserve properties of the trace that are relevant to detection by an IDS, we can go even further in transforming a trace, shuffling the order of packet streams between different hosts, the time between packets sent, the size of data, packet size, number of packets, duration of the connection. While such changes could affect properties of the trace that need to remain the same, if they are changed within certain bounds the tradeoff between anonymization and preserving trace properties can be maintained.

Traffic Analysis: Protocols, Attacks, Design Issues and Open Problems
Firewall papers
A High-level Programming Environment for Packet Trace Anonymization and Transformation

My Final Report

2nd draft

1st draft

Notes

General taxonomy of attacks

Packet fields in IDS Rules & Taxonomy of Dos/DDos attacks

Mapping vs removing fields

Goals for investigating packet sanitization

Information leakage from packet headers (table form)

Information leakage from packet headers (paper form)

Fields that IDS rules examine / Taxonomy of DoS & DDoS attacks

List of possible trace transformations

Useful Links

Port numbers

More port numbers

Prof. Carla Brodley's Security Reading Group Summer 2003:

June 30 and July 3

July 7

July 24