Test results for low-storage capture

This work collects 1929 attack events triggered by replaying real flows to an IPS and we can reproduce these events at the step 1 of selective replay. Table 2 lists top 10 types of attacks that cover 98.4% of 1929 attacks. The most frequent attack is Microsoft Windows RPC DCOM Service Buffer Overflow attack (www.cert.org/advisories/CA-2003-16.html) and its data length is 1828 bytes. Also, we found that only 333 connections’ data length exceed 2000 bytes.

Table 2. Major types of attack events

Event Count Ratio (%) Alert Message

1493 75% Microsoft Windows RPC DCOM Service buffer overflow attempt 237 12% Microsoft Windows LSASS buffer overflow attempt

117 6% FTP command overflow attempt 18 0.9% SQL Injection comment attempt

11 0.5% NETBIOS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance little endian attempt 7 0.4% SHELLCODE x86 0x90 unicode NOOP

6 0.3% SQL sa brute force failed login unicode attempt 4 0.2% SQL SA brute force login attempt TDS v7/8 4 0.2% Microsoft Windows MS08-067 attempt 3 0.2% FTP invalid MODE

Therefore, we adjusted thresholds (N, 0, 0) which mean SocketReplay replays first N bytes data of connections and observe whether the intrusion prevention system can detect them as Fig. 10(a) shows. We found that 317 of 333 events were triggered

by simply replaying first 2K bytes of data per connection and a few events were triggered when we adjusted N from 5K to 50K. We pick 16 events that not triggered by using thresholds (2000, 0, 0) and increase the threshold N to see the percentage of triggered events and storage cost as Fig. 10(b) shows, we found that if we want to cover most of events, threshold N should be very high which cuase that percentage of storage cost is high. Therefore, we conclude that replaying 2K bytes of data of connections are enough to trigger most of attack events.

Next we picked four events that can’t be triggered by replaying first 50K bytes of date and reproduce these events by adjusting thresholds (0, M, ∞) which means SocketReplay replays first M bytes data of each packet and found the minimum M as Table 3 shows. The first event is a false positive and the minimum M of last events is bounded by 200 bytes because these events were triggered from application headers.

Therefore, we conduct another experience which uses thresholds (2000, M, ∞) to replay 16 events that can’t be triggered by using thresholds (2000, 0, 0). As fig. 10(c) shows, we found that when M is 200 bytes, 11 of 16 events are triggered.

Next we adjusted the threshold P to find out the relation of storage cost and events that triggered by using thresholds (2000, 200, ∞). As fig. 10(d) shows, we found that when P is set to 1300, all 16 events are all triggered and 87% of storage is reduced. Also, when P is set to 200, 8 of 11 events are triggered and 90% of storage is reduced.

To sum up, besides the threshold N, the threshold M is effective to trigger more attack events. If we set the thresholds (N, M, P) to be (2000, 200, 1300), the low-storage capture scheme can record 99.74% of events that can be triggered by SocketReplay and reduce 87% of storage cost. We set P to 1300 in order to trigger rare events that can’t be trigger by using the thresholds (N, M, 200).

Table 3. Minimum M that triggers events that can’t be triggered by two thresholds (50000, 0, 0)

Alert Message Total Payload Size Minimum M

SHELLCODE x86 setgid 0 151611 1300

SQL Injection comment attempt 206085 140

Web-CLIENT Windows Media Player zero length bitmap 390745 200 Adobe BMP Image Handler Buffer Overflow 561305 90

Figure 10. (a, c) Number of triggered events after setting the thresholds (N, 0, 0) and (N, M, ∞); (b, d) Percentage of Storage Cost and Triggered events after setting the

thresholds (N, 0, 0) and (N, M, P)

5.4.2 Virus

This section finds out the capture scheme for collecting virus events. This work collected computer virus from VX Heavens (vx.netlux.org), which contains a massive, continuously updated virus samples and sources. We made 44 FTP sessions manually that transferred viruses and triggered events from anti-virus systems and captured these sessions. Next, we applied three thresholds of SocketReplay to replay these sessions and observe whether they can trigger these events again.

The dotted line of Fig. 11(a) draws size distribution of viruses. This line shows that 20% of viruses are larger than 100000 bytes, which is absolutely larger than the payload length of attack traffic. The actual line of Fig. 11(a) and Fig. 11(b) draws the percentage of triggered events by using SocketReplay to replay 44 FTP sessions with thresholds (N, 0, 0). Although 40% of viruses’ size is bigger than 8K bytes, these virus events can be triggered by replaying first 8000 bytes of each connection. We observe that replaying first 60000 bytes is enough to trigger 93% of virus events and reduce 70% of storage cost.

Besides threshold N, we conduct experience to answer whether threshold M is effective. Thethresholds (8000, 400, ∞) of replay can trigger 88% of events and reduce 67% of storage cost and another thresholds (8000, 1000, ∞) of reply can trigger 90% of events and reduce 35% of storage. Therefore, we found that the increase of threshold M is ineffective to trigger more events. Also, the benefit of two cases is not better than previous case with thresholds (60000, 0, 0) which trigger 93%

of events and reduce 70% of storage. Therefore, we suggest setting threshold N to 60000 is enough to collect virus events of real flows and the thresholds M and P are set to zero.

Figure 11. Virus Size Distribution and Thresholds (N, 0, 0) for reproduce % of virus events

5.4.3 Peer-to-Peer

The section focuses on how to collect minimum traffic to identify P2P events.

Unlike attack and virus events, P2P applications use UDP protocol frequently to transfer unencrypted queries so that some of IPSs examines these queries and identify P2P applications such as BitTorrent, Skype and Edonkey. Furthermore, some techniques [12, 13] use statistical approach to identify P2P applications by TCP/IP headers. Therefore, the capture scheme simply needs to capture all UDP packets and headers of TCP packets.