Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Network Security and Analysis with Python

2.421 visualizaciones

Publicado el

Using Python, the author has developed a program that learns about protocol formats, with the main goal in being useful for Deep Packet Inspection. Deep Packet Inspection is a process mainly used in network security to ensure integrity of network data sent across the network. Deep Packet Inspection is used to pre-empt and prevent malicious data from being transmitted over a network in order to ensure the security of the organization.

http://tw.pycon.org/2015apac/en/lightning_en

Publicado en: Tecnología
  • Inicia sesión para ver los comentarios

Network Security and Analysis with Python

  1. 1. NETWORK SECURITY AND ANALYSIS WITH PYTHON Lee Yang Peng Dunman High School Singapore
  2. 2. DEEP Packet Inspection Searching if anything in the packet is suspicious
  3. 3. ANALYTICS Motivation: Helping Deep Packet Inspection An initial experimental study Then I conducted experiments on them to determine their effectiveness
  4. 4. HEURISTICS FOR ANALYTICS Detecting Constant Fields and Enumeration fields to learn about protocol format Constant: Bytes that do not change data in all packets in a single protocol.  For example: {‘x00’} appears all the time. Or {‘x00’, ‘x01’, ‘x02’} in sequence Enums: Bytes at fixed positions that changes only slightly or has a limited number of values.  For example: At position 5, only contains values within {‘x00’, ‘x01’, ‘x02’}
  5. 5. Constant fields in protocol headers: Maybe… Paddings Protocol Version Reserved Fields
  6. 6. Where pi is the probability of each value occurring
  7. 7. 13 May 2015
  8. 8. Ethernet TCP UDP IPv4 IPv6 ICMP IGMP(v3) ARP SMB NBNS LLMNR DNS SCTP OSPF
  9. 9. Contagio: http://contagiodump.blogspot.sg/
  10. 10. • Collected data unable to simulate randomness of a real network • False positives will be observed • For consistency, will mark these as incorrect during my evaluation
  11. 11. • Manual analysis of the protocol header was compared against ground truth from protocol documentation • Mark every byte in protocol header as {Constant, Not Constant}, and {Enum, Not Enum} • Accuracy = (True Positives + True Negatives) / Total Header Length • Entered these data into a table
  12. 12. Protocol Accuracy (Constants) Accuracy (Enums) TCP 100% 95% IPv4 90% 95% Ethernet 100% 100% IPv6 97.5% 92.5% DNS / NetBIOS-NS / LLMNR 41.7% 91.6% ARP 50.0% 62.5% ICMP 100% 100% UDP 100% 100% OSPF 30% 80% IGMP Version 3 50% 62.5% SCTP 100% 100% SMB 62.5% 84.4% Average Accuracy 76.8% 88.6%
  13. 13. LIMITATIONS • Is only useful for analyzing a single protocol • Heuristics to detect higher level fields such as dependencies and sequence numbers are not yet implemented

×