Information Technology Reference
In-Depth Information
The measures for fragment quality are based on the degree to which actual
sessions are reconstructed by fragments. These measures consider the number of
TCP connection elements in the intersection of a fragment and an actual session.
They are described in the following sections.
4.1
Coverage
Coverage is the degree of overlap between the connection elements in fragments
and actual sessions. Coverage measures the size of the fragment in relation to the
size of the actual session. For a given fragment
f
and actual session
s
, coverage
C
is given by:
C
=
|
f
∩
s
|
Coverage
(1)
|
s
|
4.2
Accuracy
The fraction of fragment elements that have been correctly assigned. It is calcu-
lated as follows:
A
=
|
f
∩
s
|
Accuracy
(2)
|
f
|
Ideally, the Link Chaining attack would reproduce entire user sessions. That
is, it would produce fragments of unit coverage and accuracy. This is highly
unlikely. Instead, the goal is to consistently isolate non-trivial session fragments
of high accuracy. Regardless of their size, non-trivial fragments decrease the
session assembly time for an analyst as long as they are accurate.
4.3
Matching Fragments to Actual Sessions
There are always more session fragments than actual user sessions. Before ap-
plying any metrics, each fragment must be matched to the user session of which
it is a part. The best matching user session is the one that shares the largest
number of connection elements with the fragment. For a given fragment
f
,and
the set of all user sessions
S
, the matching session
m
,isgivenby:
m
=
mS
|
sS
=
max
|
Matching Session
f
∩
m
|
s
∩
f
|
(3)
4.4
Ambiguous Fragments
Some fragments will match multiple sessions. Such fragments are inaccurately
chained and contain equal numbers of connections from two or more sessions.
For example, the following fragment
f
matches sessions
s
1
and
s
2
equally:
f
=
1
,
2
,
3
,
4
s
1
=
1
,
2
,
5
,
9
,
13
s
2
=
0
,
3
,
4
,
12
,
26
,
52
To evaluate these fragments effectively, they must be assigned to, and compared
with, a single whole session. There is no way to do this meaningfully. Such an
