« The Future of Bot Worms | Main | Analytically Modeling Worm Attacks in Internet Protocol Networks »
Protocol-Independent Adaptive Replay of Application Dialog
This is an incredibly cool development, one that I've wanted for a few years but never fully knew how to build. I'm glad to see it's been done, and honestly I figured Paxson would have been involved.For many applications—including recognizing malware variants, determining the range of system versions vulnerable to a given attack, testing defense mechanisms, and filtering multi-step attacks—it can be highly useful to mimic an existing system while interacting with a live host on the network. We present RolePlayer, a system which, given examples of an application session, can mimic both the client side and the server side of the session for a wide variety of application protocols. A key property of RolePlayer is that it operates in an application-independent fashion: the system does not require any specifics about the particular application it mimics. It instead uses byte-stream alignment algorithms to compare different instances of a session to determine which fields it must change to successfully replay one side of the session. Drawing only on knowledge of a few low-level syntactic conventions (such as representing IP addresses using “dotted quads”), and contextual information such as the domain names of the participating hosts, RolePlayer can heuristically detect and adjust network addresses, ports, cookies, and length fields embedded within the session, including sessions that span multiple, concurrent connections on dynamically assigned ports.Source: Protocol-Independent Adaptive Replay of Application Dialog, Weidong Cui, Vern Paxson, Nicholas C. Weaver, Randy H. Katz.We have successfully used RolePlayer to replay both the client and server sides for a variety of network applications, including NFS, FTP, and CIFS/SMB file transfers, as well as the multi-stage infection processes of the Blaster and W32.Randex.D worms.
November 29, 2005 in detection, papers | Permalink
Tell others: digg submit
|
del.icio.us this
|
Reddit
Comments
The comments to this entry are closed.
