Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
TCPtransform: Property-Oriented TCP Traffic Transformation
Show others and affiliations
Responsible organisation
2005 (English)Conference paper, Published paper (Refereed) Published
Abstract [en]

A TCPdump file captures not only packets but also various "properties" related to the live TCP sessions on the Internet. It is still an open problem to identify all the possible properties, if ever possible, and more importantly, which properties really matter for the consumers of this particular TCPdump file and how they are related to each other. However, it is quite clear that existing traffic replay tools, for the purpose of system evaluation, such as TCPreplay destroyed at least some of critical properties such as "ghost acknowledgment" (while the origin packet has never been delivered), which is a critical issue in conducting experimental evaluations for intrusion detection systems. In this paper, we present a software tool to transform an existing TCPdump file into another traffic file with different "properties". For instance, if the original traffic is being captured in a laboratory environment, the new file might "appear" to be captured in between US and Sweden. The transformation we have done here is "heuristically consistent" as there might be some hidden properties still being destroyed in the transformation process. One interesting application of our tool is to build long-term profiles to detect anomalous TCP attacks without really running the target application over the Internet. While, in this paper, we only focus on property-oriented traffic transformation, we have built and evaluated an interactive version of this tool, called TCPopera, to evaluate commercial intrusion prevention systems.

Place, publisher, year, edition, pages
Wien: Springer , 2005.
Keywords [en]
IDS evaluatoin, TCP Traffic dynamics, anomaly deteciton systems, realistic background traffic
National Category
Telecommunications
Identifiers
URN: urn:nbn:se:bth-9916Local ID: oai:bth.se:forskinfo6FE176CDFBF79E6BC1256FD30042405AISBN: 3-540-26613-5 (print)OAI: oai:DiVA.org:bth-9916DiVA, id: diva2:837900
Conference
Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2005)
Available from: 2012-09-18 Created: 2005-03-29 Last updated: 2015-06-30Bibliographically approved

Open Access in DiVA

No full text in DiVA

Authority records

Wu, FelixJohnson, Henric

Search in DiVA

By author/editor
Wu, FelixJohnson, Henric
Telecommunications

Search outside of DiVA

GoogleGoogle Scholar

isbn
urn-nbn

Altmetric score

isbn
urn-nbn
Total: 196 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf