[LARTC] Project proposal/idea: Categorize traffic by behavior

Jesper Dangaard Brouer hawk at diku.dk
Sat Nov 24 23:52:16 CET 2007 

Back in 2003/2004 when finding the topic for my masters thesis, I had a 
secondary project idea, perhaps its about time to do something about the 
idea, and hear if anyone else thinks its a good idea?

  The basic idea is to: "Categorize traffic by behavior"

The categorization should be based upon things like packet timing 
characteristics and packet size, rather than standard port numbers.

The categories would be groups like Interactive, (RTP-)Stream, Bulk.

- Interactive; would have a high degree of packet inter-timing
   variants and consist of mainly small packets.

- Stream; Real Time Protocols (RTP) (used by e.g. VoIP) can be
   categorized based upon the very precise inter-packet gap (packets
   are not send back-to-back).  Imagine that it might actually be
   possible to "catch" skype voice traffic.

- Bulk; could be categorized by large packets being back-to-back.

I propose this could be implemented with Netfilter target modules for 
categorizing traffic, and using conntrack flows for saving the group/type, 
that other rules can match upon.

What can it be used for?
------------------------
Security/NIDS: Detecting backdoors, by identifying interactive on 
non-standard ports.

QoS: Prioritize traffic based on type (e.g. interactive or RTP-streams) 
without needing to write static iptables rules to match each new protocols 
port number.  Some protocols, like Skype, its not possible to do 
categorizing based upon standard port numbers.

Is it possible?
---------------
I actually got the idea from two scientific papers by Vern Paxson and Yin 
Zhang, where they actually detect interactive traffic by timing 
characteristic on real-life data.  They use it for detecting backdoors and 
stepping stones.

  http://www.icir.org/vern/papers/backdoor/

  http://www.icir.org/vern/papers/stepping/

  http://citeseer.ist.psu.edu/zhang00detecting.html

Cheers,
   Jesper Brouer
   http://www.adsl-optimizer.dk

--
-------------------------------------------------------------------
MSc. Master of Computer Science
Dept. of Computer Science, University of Copenhagen
Author of http://www.adsl-optimizer.dk
-------------------------------------------------------------------

More information about the LARTC mailing list