1.
NETWORK SECURITY AND ANALYSIS
WITH PYTHON
Lee Yang Peng
Dunman High School
Singapore

2.
DEEP Packet Inspection
Searching if anything in the packet is suspicious

3.
ANALYTICS
Motivation: Helping Deep Packet Inspection
An initial experimental study
Then I conducted experiments on them to determine their effectiveness

4.
HEURISTICS FOR ANALYTICS
Detecting Constant Fields and Enumeration fields to learn about protocol format
Constant: Bytes that do not change data in all packets in a single protocol.
 For example: {‘x00’} appears all the time. Or {‘x00’, ‘x01’, ‘x02’} in sequence
Enums: Bytes at fixed positions that changes only slightly or has a limited number of
values.
 For example: At position 5, only contains values within {‘x00’, ‘x01’, ‘x02’}

5.
Constant fields in protocol headers:
Maybe…
Paddings
Protocol Version
Reserved Fields

6.
Where pi is the probability of each value
occurring

7.
13 May 2015

8.
Ethernet TCP UDP
IPv4 IPv6 ICMP
IGMP(v3) ARP SMB
NBNS LLMNR DNS
SCTP OSPF

9.
Contagio:
http://contagiodump.blogspot.sg/

10.
• Collected data unable to simulate randomness of a
real network
• False positives will be observed
• For consistency, will mark these as incorrect during
my evaluation

11.
• Manual analysis of the protocol header was compared against ground
truth from protocol documentation
• Mark every byte in protocol header as {Constant, Not Constant}, and
{Enum, Not Enum}
• Accuracy = (True Positives + True Negatives) / Total Header Length
• Entered these data into a table

12.
Protocol Accuracy (Constants) Accuracy (Enums)
TCP 100% 95%
IPv4 90% 95%
Ethernet 100% 100%
IPv6 97.5% 92.5%
DNS / NetBIOS-NS / LLMNR 41.7% 91.6%
ARP 50.0% 62.5%
ICMP 100% 100%
UDP 100% 100%
OSPF 30% 80%
IGMP Version 3 50% 62.5%
SCTP 100% 100%
SMB 62.5% 84.4%
Average Accuracy 76.8% 88.6%

13.
LIMITATIONS
• Is only useful for analyzing a single protocol
• Heuristics to detect higher level fields such as dependencies and
sequence numbers are not yet implemented