Model of data handling for in-depth analysis of network traffic

The article suggests a new object model of data for in-depth analysis of network traffic. In contrast to the model used by most existing network analyzers, such as Wireshark or Snort, the core of our model supports data streams reassembling and next processing. The model also provides a convenient universal mechanism for binding parsers. So one can develop parsers independently at all. Our model also provides processing of modified, e.g. compressed or encrypted, data. It forms the basis of the infrastructure for in-depth analysis of network traffic.

network traffic analysis, data stream assembling, model of data, recognition of data

1. P. Tsankov, M. T. Dashti, D. Basin. SECFUZZ: Fuzz-testing Security Protocols // Proceedings of the 7th International Workshop on Automation of Software Test (AST 2012), pp. 1-7, 2012

2. A. V. Nikeshin, N. V. Pakulin, V. Z. Shnitman. Avtomatizatsiya testirovaniya sootvetstviya dlya telekommunikatsionnykh protokolov [Automation of conformance testing for communication protocols] // Trudy ISP RAN [The Proceedings of ISP RAS], 2014, vol. 26, no. 1, pp. 109-148 (in Russian). DOI: 10.15514/ISPRAS-2014-26(1)-4

3. Karen Scarfone, Peter Mell. Guide to Intrusion Detection and Prevention Systems (IDPS) // National Institute of Standards and Technology Special Publication 800-94, 127 pages, February 2007

4. Yu. V. Markin, A. S. Sanarov. Obzor sovremennykh instrumentov analiza setevogo trafika [The modern network traffic analyzers overview] // Preprinty ISP RAN [Preprints of ISP RAS], №27, 2014 (in Russian)

5. Recommendation ITU-T Y.2770, Requirements for deep packet inspection in next generation networks, edition 1.0, 2012.11.20

6. Snort. http://www.snort.org/, access date: 2015.10.07

7. Wireshark. http://www.wireshark.org/, access date: 2015.10.07

8. The Bro Network Security Monitor. http://www.bro.org/, access date: 2015.10.07

9. IETF RFC 791. Information Sciences Institute, Internet Protocol, September 1981

10. IETF RFC 5246. T. Dierks, E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.2, August 2008

11. A. V. Nikeshin, N. V. Pakulin, V. Z. Shnitman. Razrabotka testovogo nabora dlya verifikatsii realizatsii protokola bezopasnosti TLS [Creation of a test suite for verification of the TLS security protocol] // Trudy ISP RAN [The Proceedings of ISP RAS], 2012, vol. 23, pp. 387-404 (in Russian). DOI: 10.15514/ISPRAS-2012-23-22

12. A. V. Nikeshin, N. V. Pakulin, V. Z. Shnitman. Testirovanie realizatsii klienta protokola TLS [TLS clients testing] // Trudy ISP RAN [The Proceedings of ISP RAS], 2015, vol. 27, no. 2, pp. 145-160 (in Russian). DOI: 10.15514/ISPRAS-2015-27(2)-9

13. IETF RFC 4251. T. Ylonen, C. Lonvick, The Secure Shell (SSH) Protocol Architecture, January 2006

14. IETF RFC 791. Information Sciences Institute, Transmission Control Protocol, September 1981

15. IETF RFC 768. J. Postel, User Datagram Protocol, August 1980

16. F. Risso, A. Baldini, M. Baldi, P. Monclus, O. Morandi, Lightweight, Payload-Based Traffic Classification: An Experimental Evaluation // IEEE International Conference on Communications (ICC 2008), Beijing (China), pp. 5869-5875, May 2008