Information Technology Reference
In-Depth Information
The TCP reassembler reconstructs TCP streams accurately despite packet
retransmissions or out-of-order delivery. The reassembler operates on a database
of packets (as opposed to a raw log) and preserves the mapping between a
stream's content and its constituent packets.
The HTTP Parser extracts information from the HTTP transactions in re-
assembled TCP stream files. It parses individual HTTP headers as well as the
web resources contained in the bodies of HTTP responses. For example, the
parser can rebuild sounds, images, and documents from the HTTP stream. It
can also inflate or unzip HTML web pages that have been compressed by web
servers. This is necessary for extracting the valuable hyperlinks that allow the
Link Chaining Attack to chain TCP connections together into user sessions. The
parser very much emulates the parsing functionality of a web browser.
Data preparation constituted a significant effort before the Link Chaining
Attack could be applied.
3.1
Experimental Inputs and Procedure
The experiment was performed for five sets of Port 80 trac data. Each set was
collected in the same hour on different week days. In raw TCPdump [9] format,
the data sets were roughly 550Mb each. They each contained about 30 minutes
of trac generated by approximately 500 active hosts. Each set contained about
750,000 packets, 25,000 TCP connections, and 100,000 HTTP messages.
3.2
Two Versions of Fragment Isolation
Fragment isolation was performed in two ways for each data set. In the first,
fragments were isolated from all possible adjacencies. In the second, fragments
were isolated only from those adjacencies marked as likely by the heuristic. The
two tests were labelled A and B respectively.
Fragment Isolation Tests
A - All possible adjacencies
B - Adjacencies marked as likely by the heuristic
Both tests are versions of the Link Chaining Attack. Test A should be con-
sidered a naive implementation. It was conducted to establish a baseline for the
performance of the heuristic in test B.
4
Link Chaining Evaluation Metrics
For session fragments to be useful to a human analyst, they must be as large and
accurate as possible. The evaluation of the Link Chaining Attack is based on a
series of metrics that measure how the test fragments compare to actual whole
user sessions. Actual user sessions are complete sets of same-host connections,
organized by IP address. The IP address of every TCP connection is recorded in
the experiment so that actual user sessions can be isolated and easily compared
with fragments.
Search WWH ::




Custom Search