clear and present data: opaque traffic and its security ... › wp-content › uploads › ... ·...
TRANSCRIPT
Clear and Present Data:Opaque Traffic and its Security
Implications for the Future
Michael BaileyUniversity of Michigan
Srinivas Krishnan
Phillip PorrasSRI International
Fabian MonroseAndrew M. White
Clear and Present DataAndrew M. White
Deep Packet Inspection (DPI)
❖ Effective intrusion detection requires accurate traffic inspection
❖ In practice: Deep Packet Inspection (DPI)
2
Clear and Present DataAndrew M. White
Deep Packet Inspection (DPI)
❖ Effective intrusion detection requires accurate traffic inspection
❖ In practice: Deep Packet Inspection (DPI)
❖ cannot rely on port/protocol assumptions alone
2
Clear and Present DataAndrew M. White
Deep Packet Inspection (DPI)
❖ Effective intrusion detection requires accurate traffic inspection
❖ In practice: Deep Packet Inspection (DPI)
❖ cannot rely on port/protocol assumptions alone
❖ must scale to cope with:
❖ massive traffic volumes
❖ significant heterogeneity of traffic
2
Clear and Present DataAndrew M. White
Deep Packet Inspection (DPI)
❖ Effective intrusion detection requires accurate traffic inspection
❖ In practice: Deep Packet Inspection (DPI)
❖ cannot rely on port/protocol assumptions alone
❖ must scale to cope with:
❖ massive traffic volumes
❖ significant heterogeneity of traffic
❖ leads to common trade-off: accuracy vs. resources
2
Clear and Present DataAndrew M. White
Opaque Traffic
3
opaque: compressed or encrypted
Clear and Present DataAndrew M. White
Opaque Traffic
❖ DPI systems cannot directly derive useful information from opaque data packets:
3
opaque: compressed or encrypted
Clear and Present DataAndrew M. White
Opaque Traffic
❖ DPI systems cannot directly derive useful information from opaque data packets:
❖ compressed: require decompression
3
opaque: compressed or encrypted
Clear and Present DataAndrew M. White
Opaque Traffic
❖ DPI systems cannot directly derive useful information from opaque data packets:
❖ compressed: require decompression
3
opaque: compressed or encrypted
Clear and Present DataAndrew M. White
Opaque Traffic
❖ DPI systems cannot directly derive useful information from opaque data packets:
❖ compressed: require decompression
❖ encrypted: ???
3
opaque: compressed or encrypted
Clear and Present DataAndrew M. White
DPI Engines and Opaque Traffic
❖ Opaque payload bytes are effectively random
❖ signature matches unlikely
❖ slow path: every packet compared against every signature
4
Clear and Present DataAndrew M. White
DPI Engines and Opaque Traffic
❖ Opaque payload bytes are effectively random
❖ signature matches unlikely
❖ slow path: every packet compared against every signature
❖ Encrypted packets: CPU overhead several orders of magnitude higher (Cascarano et al, 2009)
4
Clear and Present DataAndrew M. White
Prevalence❖ Encrypted:
❖ HTTPS
❖ VPN connections
❖ consider: private corporate networks
5
Clear and Present DataAndrew M. White
Prevalence❖ Encrypted:
❖ HTTPS
❖ VPN connections
❖ consider: private corporate networks
5
❖ Compressed:
❖ streaming audio/video
❖ most images (JPEG, PNG)
❖ many HTML websites
Clear and Present DataAndrew M. White
Empirical Observations
❖ Surprising preponderance of opaque traffic
❖ (payload-carrying) TCP packets: 89%
❖ corresponding to 86% of payload bytes
6
Clear and Present DataAndrew M. White
Empirical Observations
❖ Surprising preponderance of opaque traffic
❖ (payload-carrying) TCP packets: 89%
❖ corresponding to 86% of payload bytes
❖ As a community, we must adapt to cope with opaque traffic
❖ idea: partition traffic into classes for specialized processing
❖ first steps: fast, accurate winnowing (i.e., filtering) of opaque traffic
6
Clear and Present DataAndrew M. White
Our Contributions
❖ Identification of opaque traffic as an important and distinguishable class of network traffic
7
Clear and Present DataAndrew M. White
Our Contributions
❖ Identification of opaque traffic as an important and distinguishable class of network traffic
❖ Development, comparison, and evaluation of multiple techniques for quickly and accurately identifying opaque packets
7
Clear and Present DataAndrew M. White
Our Contributions
❖ Identification of opaque traffic as an important and distinguishable class of network traffic
❖ Development, comparison, and evaluation of multiple techniques for quickly and accurately identifying opaque packets
❖ An operational analysis of modern network traffic with respect to opacity
7
Clear and Present DataAndrew M. White
Our Contributions
❖ Identification of opaque traffic as an important and distinguishable class of network traffic
❖ Development, comparison, and evaluation of multiple techniques for quickly and accurately identifying opaque packets
❖ An operational analysis of modern network traffic with respect to opacity
❖ Evaluation, at scale, of the potential for winnowing to reduce load on IDS/DPI systems
7
Clear and Present DataAndrew M. White
Identifying Opaque Traffic
8
secure !ell
tran#o$ layer secu%ty
messa' (ream encryption
secure sockets layerSignatures?
Clear and Present DataAndrew M. White
Identifying Opaque Traffic
❖ requires construction and deployment of signatures for each and every protocol
8
secure !ell
tran#o$ layer secu%ty
messa' (ream encryption
secure sockets layerSignatures?
Clear and Present DataAndrew M. White
Identifying Opaque Traffic
❖ requires construction and deployment of signatures for each and every protocol
❖ some opaque protocols designed to evade signatures (e.g., BitTorrent’s Message Stream Encryption)
8
secure !ell
tran#o$ layer secu%ty
messa' (ream encryption
secure sockets layerSignatures?
Identifying Opaque Traffic
Clear and Present DataAndrew M. White 9
Content-Type inspection?
Identifying Opaque Traffic
Clear and Present DataAndrew M. White
❖ requires flow reassembly
❖ 1/3 of runtime overhead in our experiments
9
Content-Type inspection?
Identifying Opaque Traffic
Clear and Present DataAndrew M. White
❖ requires flow reassembly
❖ 1/3 of runtime overhead in our experiments
❖ often inaccurate
❖ demonstrated later
❖ independently corroborated (Schneider et al, 2012)
9
Content-Type inspection?
Clear and Present DataAndrew M. White
Our Design Criteria❖ per-packet operation
10
Clear and Present DataAndrew M. White
Our Design Criteria❖ per-packet operation
❖ no reassembly required!
10
Clear and Present DataAndrew M. White
Our Design Criteria❖ per-packet operation
❖ no reassembly required!
❖ flows can change opacity:
❖ gzipped HTTP
❖ STARTTLS
10
Clear and Present DataAndrew M. White
Our Design Criteria❖ per-packet operation
❖ no reassembly required!
❖ flows can change opacity:
❖ gzipped HTTP
❖ STARTTLS
❖ port- and protocol-agnostic
10
Clear and Present DataAndrew M. White
Our Design Criteria❖ per-packet operation
❖ no reassembly required!
❖ flows can change opacity:
❖ gzipped HTTP
❖ STARTTLS
❖ port- and protocol-agnostic
❖ minimal payload inspection
❖ resource use increases with inspection depth (Dreger et al, 2004, Cascarano et al, 2009)
10
Clear and Present DataAndrew M. White
Our Techniques
❖ Small-sample hypothesis tests❖ extensive experimentation (details in the paper)
❖ comparison of methods❖ parameter-space exploration
Clear and Present DataAndrew M. White
Our Techniques
❖ Small-sample hypothesis tests❖ extensive experimentation (details in the paper)
❖ comparison of methods❖ parameter-space exploration
❖ Two clearly superior methods❖ Likelihood Ratio❖ (Truncated) Sequential Probability Ratio Test (SPRT)
Clear and Present DataAndrew M. White
Our Techniques
❖ Small-sample hypothesis tests❖ extensive experimentation (details in the paper)
❖ comparison of methods❖ parameter-space exploration
❖ Two clearly superior methods❖ Likelihood Ratio❖ (Truncated) Sequential Probability Ratio Test (SPRT)
❖ Identify opaque packets in 16 bytes or less❖ significantly fewer than necessary for, e.g., entropy, chi-square
Clear and Present DataAndrew M. White
Major Experiments
❖ File Type Opacity
❖ Content-Type Matching
❖ Operator Analysis
❖ Head-to-Head Comparison
12
Clear and Present DataAndrew M. White
Content-Type Matching
❖ Logged traffic using Bro
❖ ports 22, 25, 80, 443
❖ two major university campuses
❖ dynamic protocol detection
13
Clear and Present DataAndrew M. White
Content-Type Matching
❖ Logged traffic using Bro
❖ ports 22, 25, 80, 443
❖ two major university campuses
❖ dynamic protocol detection
❖ ground truth:
❖ SSL/TLS and SSH: opaque
❖ SMTP: transparent
❖ HTTP: inferred from Content-Type and Content-Encoding
13
Clear and Present DataAndrew M. White
Match Rate
14
50%
63%
75%
88%
100%
SSL/TLS HTTP
University of Michigan (39m packets; 3.8m flows)University of North Carolina (24m packets, 2.3m flows)
Figure 5. ROC plots for the techniques examined in this work.
as accurately as those in the byte-value domain; webelieve that this indicates that accurate entropy testsrequire more samples than are available in our context.
Content Type MatchingWe performed a large-scale analysis on both trace1
and trace2; the overall results are given in Table IV.Using the truncated sequential method (� = 0.005,⇥ =0.005,⇤ = 0.85,N = 16,T = 8), we achieve a matchrate, i.e., the percentage of examples for which ourtechniques produced the same label as expected fromthe content type, of 95.1% on trace1 and 96.0% ontrace2. We refer to ‘match’ rates here, rather thanfalse-positive or false-negative rates, due to the largequantity of mislabeled content-types we encountered(we investigate these mislabeled instances in the nextsection).
trace1 trace2Protocol Match Rate Examples Match Rate ExamplesSSH 94% 7.3m 97% 157kSSL/TLS 96% 16.4m 94% 5.5mSMTP 86% 3.35m 80% 1.4mHTTP 91% 9.7m 85% 13.8mTotal 94% 36.7m 96% 20.8m
Table IVEXPERIMENTAL RESULTS (trace1 AND trace2)
In the case of encrypted traffic (i.e., TLS/SSL) weaccurately classified approximately 95% of the traffic.
(a) SSL/TLS
(b) SSH
Figure 6. CDFs of Packet IDs
However, the mismatches are particularly interesting.Figure 6 shows the distribution of packet IDs, wherea packet’s ID is its position in the bi-directional flow(i.e., a packet with ID zero is the first packet sent by
7
Clear and Present DataAndrew M. White
Mismatches on Encrypted Traffic
❖ mismatches: flagged as transparent (“false negatives”)❖ 95% of mismatches within first 5 packets of flow
❖ primarily connection-setup packets 15
SSL/TLS
Clear and Present DataAndrew M. White
HTTP Text Mismatches
16
text/plain,labeled opaque (“false positives”)
text/plain,labeled transparent
Clear and Present DataAndrew M. White
HTTP JPEG Mismatches
17
image/jpeg,labeled opaque
image/jpeg,labeled transparent (“false negative”)
Clear and Present DataAndrew M. White
HTTP JPEG Mismatches
17
image/jpeg,labeled opaque
image/jpeg,labeled transparent (“false negative”)
Clear and Present DataAndrew M. White
Head to Head
❖ Implemented winnowing as a Snort preprocessor
18
APPENDIX BThe UNIVERSITY OF NORTH CAROLINA is the owner of all rights, title and interest in and to the following Indicia,
which includes trademarks, service marks, trade names, designs, logos seals and symbols.
In addition to the Indicia shown above, any Indicia adopted hereafter and use or approved for use byUNIVERSITY OF NORTH CAROLINA shall be deemed to be additions to the Indicia as though shown above and
shall be subject to the terms and conditions of the Agreement.
NOTE: The marks of The University of North Carolina are controlled under a licensing program administered by The Collegiate Licensing Company. Any use of these marks will require written approval from The Collegiate Licensing Company.
CAROLINA BLUE TAR HEELS DEEP BLUE TAR HEELS MET. SILVER TAR HEELS SILVER
Yes No Restrictions
UNIVERSITY� OF� NORTH� CAROLINA� TAR� HEELS
LOCATION: CHAPEL HILL, NCNICKNAME: TAR HEELSMASCOT NICKNAME: RAMESES
University of North Carolina ®North Carolina™Carolina™UNC ®Tar Heels ®Tar Heel™Heels™Carolina Fever ®North Carolina Tar Heels™
Carolina Tar Heels™Dean E. Smith Center™Dean Dome™Kenan Memorial Stadium™Boshamer Stadium™Carmichael Auditorium™Old Well™Carolina Blue™
ESTABLISHED DATE: 1789CONFERENCE: ATLANTIC COAST CONFERENCE
Must have expiration date on packaging
See below
CAROLINA BLUETAR HEELS DEEP BLUETAR HEELS METALLIC SILVERTAR HEELS SILVERWHITE
PANTONE 278PANTONE 282PANTONE 877PANTONE 429WHITE
Limited use permitted• University seal permitted on products for resale:• Alterations to seal permitted:• Overlaying / intersecting graphics permitted with seal:• University licenses consumables:• University licenses health & beauty products:• University permits numbers on products for resale:• Mascot caricatures permitted:• Cross licensing with other marks permitted:• NO USE of current player's name, image, or likeness is permitted on commercial products in violation of NCAA rules and regulations.• NO REFERENCES to alcohol, drugs, or tobacco related products may be used in conjunction with University marks.• Tar Heels must be two words.• The use of #23 on basketball jerseys is restricted to the University's sideline provider. All other numbers are permitted on jerseys throughout all retail channels. The argyle pattern depicted on basketball uniforms is also restricted to sideline provider.
MADEIRA 1075MADEIRA 1242
MADEIRA 1040WHITE
RA 2301RA 2609
RA 2618WHITE
GS/SULKY 1029GS/SULKY 1197
GS/SULKY 1040WHITE
FEBRUARY 13, 2008
APPENDIX BThe UNIVERSITY OF NORTH CAROLINA is the owner of all rights, title and interest in and to the following Indicia,
which includes trademarks, service marks, trade names, designs, logos seals and symbols.
In addition to the Indicia shown above, any Indicia adopted hereafter and use or approved for use byUNIVERSITY OF NORTH CAROLINA shall be deemed to be additions to the Indicia as though shown above and
shall be subject to the terms and conditions of the Agreement.
NOTE: The marks of The University of North Carolina are controlled under a licensing program administered by The Collegiate Licensing Company. Any use of these marks will require written approval from The Collegiate Licensing Company.
CAROLINA BLUE TAR HEELS DEEP BLUE TAR HEELS MET. SILVER TAR HEELS SILVER
Yes No Restrictions
UNIVERSITY� OF� NORTH� CAROLINA� TAR� HEELS
LOCATION: CHAPEL HILL, NCNICKNAME: TAR HEELSMASCOT NICKNAME: RAMESES
University of North Carolina ®North Carolina™Carolina™UNC ®Tar Heels ®Tar Heel™Heels™Carolina Fever ®North Carolina Tar Heels™
Carolina Tar Heels™Dean E. Smith Center™Dean Dome™Kenan Memorial Stadium™Boshamer Stadium™Carmichael Auditorium™Old Well™Carolina Blue™
ESTABLISHED DATE: 1789CONFERENCE: ATLANTIC COAST CONFERENCE
Must have expiration date on packaging
See below
CAROLINA BLUETAR HEELS DEEP BLUETAR HEELS METALLIC SILVERTAR HEELS SILVERWHITE
PANTONE 278PANTONE 282PANTONE 877PANTONE 429WHITE
Limited use permitted• University seal permitted on products for resale:• Alterations to seal permitted:• Overlaying / intersecting graphics permitted with seal:• University licenses consumables:• University licenses health & beauty products:• University permits numbers on products for resale:• Mascot caricatures permitted:• Cross licensing with other marks permitted:• NO USE of current player's name, image, or likeness is permitted on commercial products in violation of NCAA rules and regulations.• NO REFERENCES to alcohol, drugs, or tobacco related products may be used in conjunction with University marks.• Tar Heels must be two words.• The use of #23 on basketball jerseys is restricted to the University's sideline provider. All other numbers are permitted on jerseys throughout all retail channels. The argyle pattern depicted on basketball uniforms is also restricted to sideline provider.
MADEIRA 1075MADEIRA 1242
MADEIRA 1040WHITE
RA 2301RA 2609
RA 2618WHITE
GS/SULKY 1029GS/SULKY 1197
GS/SULKY 1040WHITE
FEBRUARY 13, 2008
Clear and Present DataAndrew M. White
Head to Head
❖ Implemented winnowing as a Snort preprocessor
❖ Ran two Snort instances side-by-side on live traffic
❖ one had our preprocessor installed
❖ both saw exactly the same packets
18
APPENDIX BThe UNIVERSITY OF NORTH CAROLINA is the owner of all rights, title and interest in and to the following Indicia,
which includes trademarks, service marks, trade names, designs, logos seals and symbols.
In addition to the Indicia shown above, any Indicia adopted hereafter and use or approved for use byUNIVERSITY OF NORTH CAROLINA shall be deemed to be additions to the Indicia as though shown above and
shall be subject to the terms and conditions of the Agreement.
NOTE: The marks of The University of North Carolina are controlled under a licensing program administered by The Collegiate Licensing Company. Any use of these marks will require written approval from The Collegiate Licensing Company.
CAROLINA BLUE TAR HEELS DEEP BLUE TAR HEELS MET. SILVER TAR HEELS SILVER
Yes No Restrictions
UNIVERSITY� OF� NORTH� CAROLINA� TAR� HEELS
LOCATION: CHAPEL HILL, NCNICKNAME: TAR HEELSMASCOT NICKNAME: RAMESES
University of North Carolina ®North Carolina™Carolina™UNC ®Tar Heels ®Tar Heel™Heels™Carolina Fever ®North Carolina Tar Heels™
Carolina Tar Heels™Dean E. Smith Center™Dean Dome™Kenan Memorial Stadium™Boshamer Stadium™Carmichael Auditorium™Old Well™Carolina Blue™
ESTABLISHED DATE: 1789CONFERENCE: ATLANTIC COAST CONFERENCE
Must have expiration date on packaging
See below
CAROLINA BLUETAR HEELS DEEP BLUETAR HEELS METALLIC SILVERTAR HEELS SILVERWHITE
PANTONE 278PANTONE 282PANTONE 877PANTONE 429WHITE
Limited use permitted• University seal permitted on products for resale:• Alterations to seal permitted:• Overlaying / intersecting graphics permitted with seal:• University licenses consumables:• University licenses health & beauty products:• University permits numbers on products for resale:• Mascot caricatures permitted:• Cross licensing with other marks permitted:• NO USE of current player's name, image, or likeness is permitted on commercial products in violation of NCAA rules and regulations.• NO REFERENCES to alcohol, drugs, or tobacco related products may be used in conjunction with University marks.• Tar Heels must be two words.• The use of #23 on basketball jerseys is restricted to the University's sideline provider. All other numbers are permitted on jerseys throughout all retail channels. The argyle pattern depicted on basketball uniforms is also restricted to sideline provider.
MADEIRA 1075MADEIRA 1242
MADEIRA 1040WHITE
RA 2301RA 2609
RA 2618WHITE
GS/SULKY 1029GS/SULKY 1197
GS/SULKY 1040WHITE
FEBRUARY 13, 2008
APPENDIX BThe UNIVERSITY OF NORTH CAROLINA is the owner of all rights, title and interest in and to the following Indicia,
which includes trademarks, service marks, trade names, designs, logos seals and symbols.
In addition to the Indicia shown above, any Indicia adopted hereafter and use or approved for use byUNIVERSITY OF NORTH CAROLINA shall be deemed to be additions to the Indicia as though shown above and
shall be subject to the terms and conditions of the Agreement.
NOTE: The marks of The University of North Carolina are controlled under a licensing program administered by The Collegiate Licensing Company. Any use of these marks will require written approval from The Collegiate Licensing Company.
CAROLINA BLUE TAR HEELS DEEP BLUE TAR HEELS MET. SILVER TAR HEELS SILVER
Yes No Restrictions
UNIVERSITY� OF� NORTH� CAROLINA� TAR� HEELS
LOCATION: CHAPEL HILL, NCNICKNAME: TAR HEELSMASCOT NICKNAME: RAMESES
University of North Carolina ®North Carolina™Carolina™UNC ®Tar Heels ®Tar Heel™Heels™Carolina Fever ®North Carolina Tar Heels™
Carolina Tar Heels™Dean E. Smith Center™Dean Dome™Kenan Memorial Stadium™Boshamer Stadium™Carmichael Auditorium™Old Well™Carolina Blue™
ESTABLISHED DATE: 1789CONFERENCE: ATLANTIC COAST CONFERENCE
Must have expiration date on packaging
See below
CAROLINA BLUETAR HEELS DEEP BLUETAR HEELS METALLIC SILVERTAR HEELS SILVERWHITE
PANTONE 278PANTONE 282PANTONE 877PANTONE 429WHITE
Limited use permitted• University seal permitted on products for resale:• Alterations to seal permitted:• Overlaying / intersecting graphics permitted with seal:• University licenses consumables:• University licenses health & beauty products:• University permits numbers on products for resale:• Mascot caricatures permitted:• Cross licensing with other marks permitted:• NO USE of current player's name, image, or likeness is permitted on commercial products in violation of NCAA rules and regulations.• NO REFERENCES to alcohol, drugs, or tobacco related products may be used in conjunction with University marks.• Tar Heels must be two words.• The use of #23 on basketball jerseys is restricted to the University's sideline provider. All other numbers are permitted on jerseys throughout all retail channels. The argyle pattern depicted on basketball uniforms is also restricted to sideline provider.
MADEIRA 1075MADEIRA 1242
MADEIRA 1040WHITE
RA 2301RA 2609
RA 2618WHITE
GS/SULKY 1029GS/SULKY 1197
GS/SULKY 1040WHITE
FEBRUARY 13, 2008
Clear and Present DataAndrew M. White
Head-to-Head Experiment
19
PACKETDUPLICATION
EndaceDAG
APPENDIX BThe UNIVERSITY OF NORTH CAROLINA is the owner of all rights, title and interest in and to the following Indicia,
which includes trademarks, service marks, trade names, designs, logos seals and symbols.
In addition to the Indicia shown above, any Indicia adopted hereafter and use or approved for use byUNIVERSITY OF NORTH CAROLINA shall be deemed to be additions to the Indicia as though shown above and
shall be subject to the terms and conditions of the Agreement.
NOTE: The marks of The University of North Carolina are controlled under a licensing program administered by The Collegiate Licensing Company. Any use of these marks will require written approval from The Collegiate Licensing Company.
CAROLINA BLUE TAR HEELS DEEP BLUE TAR HEELS MET. SILVER TAR HEELS SILVER
Yes No Restrictions
UNIVERSITY� OF� NORTH� CAROLINA� TAR� HEELS
LOCATION: CHAPEL HILL, NCNICKNAME: TAR HEELSMASCOT NICKNAME: RAMESES
University of North Carolina ®North Carolina™Carolina™UNC ®Tar Heels ®Tar Heel™Heels™Carolina Fever ®North Carolina Tar Heels™
Carolina Tar Heels™Dean E. Smith Center™Dean Dome™Kenan Memorial Stadium™Boshamer Stadium™Carmichael Auditorium™Old Well™Carolina Blue™
ESTABLISHED DATE: 1789CONFERENCE: ATLANTIC COAST CONFERENCE
Must have expiration date on packaging
See below
CAROLINA BLUETAR HEELS DEEP BLUETAR HEELS METALLIC SILVERTAR HEELS SILVERWHITE
PANTONE 278PANTONE 282PANTONE 877PANTONE 429WHITE
Limited use permitted• University seal permitted on products for resale:• Alterations to seal permitted:• Overlaying / intersecting graphics permitted with seal:• University licenses consumables:• University licenses health & beauty products:• University permits numbers on products for resale:• Mascot caricatures permitted:• Cross licensing with other marks permitted:• NO USE of current player's name, image, or likeness is permitted on commercial products in violation of NCAA rules and regulations.• NO REFERENCES to alcohol, drugs, or tobacco related products may be used in conjunction with University marks.• Tar Heels must be two words.• The use of #23 on basketball jerseys is restricted to the University's sideline provider. All other numbers are permitted on jerseys throughout all retail channels. The argyle pattern depicted on basketball uniforms is also restricted to sideline provider.
MADEIRA 1075MADEIRA 1242
MADEIRA 1040WHITE
RA 2301RA 2609
RA 2618WHITE
GS/SULKY 1029GS/SULKY 1197
GS/SULKY 1040WHITE
FEBRUARY 13, 2008
APPENDIX BThe UNIVERSITY OF NORTH CAROLINA is the owner of all rights, title and interest in and to the following Indicia,
which includes trademarks, service marks, trade names, designs, logos seals and symbols.
In addition to the Indicia shown above, any Indicia adopted hereafter and use or approved for use byUNIVERSITY OF NORTH CAROLINA shall be deemed to be additions to the Indicia as though shown above and
shall be subject to the terms and conditions of the Agreement.
NOTE: The marks of The University of North Carolina are controlled under a licensing program administered by The Collegiate Licensing Company. Any use of these marks will require written approval from The Collegiate Licensing Company.
CAROLINA BLUE TAR HEELS DEEP BLUE TAR HEELS MET. SILVER TAR HEELS SILVER
Yes No Restrictions
UNIVERSITY� OF� NORTH� CAROLINA� TAR� HEELS
LOCATION: CHAPEL HILL, NCNICKNAME: TAR HEELSMASCOT NICKNAME: RAMESES
University of North Carolina ®North Carolina™Carolina™UNC ®Tar Heels ®Tar Heel™Heels™Carolina Fever ®North Carolina Tar Heels™
Carolina Tar Heels™Dean E. Smith Center™Dean Dome™Kenan Memorial Stadium™Boshamer Stadium™Carmichael Auditorium™Old Well™Carolina Blue™
ESTABLISHED DATE: 1789CONFERENCE: ATLANTIC COAST CONFERENCE
Must have expiration date on packaging
See below
CAROLINA BLUETAR HEELS DEEP BLUETAR HEELS METALLIC SILVERTAR HEELS SILVERWHITE
PANTONE 278PANTONE 282PANTONE 877PANTONE 429WHITE
Limited use permitted• University seal permitted on products for resale:• Alterations to seal permitted:• Overlaying / intersecting graphics permitted with seal:• University licenses consumables:• University licenses health & beauty products:• University permits numbers on products for resale:• Mascot caricatures permitted:• Cross licensing with other marks permitted:• NO USE of current player's name, image, or likeness is permitted on commercial products in violation of NCAA rules and regulations.• NO REFERENCES to alcohol, drugs, or tobacco related products may be used in conjunction with University marks.• Tar Heels must be two words.• The use of #23 on basketball jerseys is restricted to the University's sideline provider. All other numbers are permitted on jerseys throughout all retail channels. The argyle pattern depicted on basketball uniforms is also restricted to sideline provider.
MADEIRA 1075MADEIRA 1242
MADEIRA 1040WHITE
RA 2301RA 2609
RA 2618WHITE
GS/SULKY 1029GS/SULKY 1197
GS/SULKY 1040WHITE
FEBRUARY 13, 2008
CampusNetworkTraffic
❖ DAG (Data Acquisition and Generation) capture card
❖ packet duplication
❖ port filtering
Clear and Present DataAndrew M. White
Head-to-Head Experiment
19
PACKETDUPLICATION
EndaceDAG
APPENDIX BThe UNIVERSITY OF NORTH CAROLINA is the owner of all rights, title and interest in and to the following Indicia,
which includes trademarks, service marks, trade names, designs, logos seals and symbols.
In addition to the Indicia shown above, any Indicia adopted hereafter and use or approved for use byUNIVERSITY OF NORTH CAROLINA shall be deemed to be additions to the Indicia as though shown above and
shall be subject to the terms and conditions of the Agreement.
NOTE: The marks of The University of North Carolina are controlled under a licensing program administered by The Collegiate Licensing Company. Any use of these marks will require written approval from The Collegiate Licensing Company.
CAROLINA BLUE TAR HEELS DEEP BLUE TAR HEELS MET. SILVER TAR HEELS SILVER
Yes No Restrictions
UNIVERSITY� OF� NORTH� CAROLINA� TAR� HEELS
LOCATION: CHAPEL HILL, NCNICKNAME: TAR HEELSMASCOT NICKNAME: RAMESES
University of North Carolina ®North Carolina™Carolina™UNC ®Tar Heels ®Tar Heel™Heels™Carolina Fever ®North Carolina Tar Heels™
Carolina Tar Heels™Dean E. Smith Center™Dean Dome™Kenan Memorial Stadium™Boshamer Stadium™Carmichael Auditorium™Old Well™Carolina Blue™
ESTABLISHED DATE: 1789CONFERENCE: ATLANTIC COAST CONFERENCE
Must have expiration date on packaging
See below
CAROLINA BLUETAR HEELS DEEP BLUETAR HEELS METALLIC SILVERTAR HEELS SILVERWHITE
PANTONE 278PANTONE 282PANTONE 877PANTONE 429WHITE
Limited use permitted• University seal permitted on products for resale:• Alterations to seal permitted:• Overlaying / intersecting graphics permitted with seal:• University licenses consumables:• University licenses health & beauty products:• University permits numbers on products for resale:• Mascot caricatures permitted:• Cross licensing with other marks permitted:• NO USE of current player's name, image, or likeness is permitted on commercial products in violation of NCAA rules and regulations.• NO REFERENCES to alcohol, drugs, or tobacco related products may be used in conjunction with University marks.• Tar Heels must be two words.• The use of #23 on basketball jerseys is restricted to the University's sideline provider. All other numbers are permitted on jerseys throughout all retail channels. The argyle pattern depicted on basketball uniforms is also restricted to sideline provider.
MADEIRA 1075MADEIRA 1242
MADEIRA 1040WHITE
RA 2301RA 2609
RA 2618WHITE
GS/SULKY 1029GS/SULKY 1197
GS/SULKY 1040WHITE
FEBRUARY 13, 2008
APPENDIX BThe UNIVERSITY OF NORTH CAROLINA is the owner of all rights, title and interest in and to the following Indicia,
which includes trademarks, service marks, trade names, designs, logos seals and symbols.
In addition to the Indicia shown above, any Indicia adopted hereafter and use or approved for use byUNIVERSITY OF NORTH CAROLINA shall be deemed to be additions to the Indicia as though shown above and
shall be subject to the terms and conditions of the Agreement.
NOTE: The marks of The University of North Carolina are controlled under a licensing program administered by The Collegiate Licensing Company. Any use of these marks will require written approval from The Collegiate Licensing Company.
CAROLINA BLUE TAR HEELS DEEP BLUE TAR HEELS MET. SILVER TAR HEELS SILVER
Yes No Restrictions
UNIVERSITY� OF� NORTH� CAROLINA� TAR� HEELS
LOCATION: CHAPEL HILL, NCNICKNAME: TAR HEELSMASCOT NICKNAME: RAMESES
University of North Carolina ®North Carolina™Carolina™UNC ®Tar Heels ®Tar Heel™Heels™Carolina Fever ®North Carolina Tar Heels™
Carolina Tar Heels™Dean E. Smith Center™Dean Dome™Kenan Memorial Stadium™Boshamer Stadium™Carmichael Auditorium™Old Well™Carolina Blue™
ESTABLISHED DATE: 1789CONFERENCE: ATLANTIC COAST CONFERENCE
Must have expiration date on packaging
See below
CAROLINA BLUETAR HEELS DEEP BLUETAR HEELS METALLIC SILVERTAR HEELS SILVERWHITE
PANTONE 278PANTONE 282PANTONE 877PANTONE 429WHITE
Limited use permitted• University seal permitted on products for resale:• Alterations to seal permitted:• Overlaying / intersecting graphics permitted with seal:• University licenses consumables:• University licenses health & beauty products:• University permits numbers on products for resale:• Mascot caricatures permitted:• Cross licensing with other marks permitted:• NO USE of current player's name, image, or likeness is permitted on commercial products in violation of NCAA rules and regulations.• NO REFERENCES to alcohol, drugs, or tobacco related products may be used in conjunction with University marks.• Tar Heels must be two words.• The use of #23 on basketball jerseys is restricted to the University's sideline provider. All other numbers are permitted on jerseys throughout all retail channels. The argyle pattern depicted on basketball uniforms is also restricted to sideline provider.
MADEIRA 1075MADEIRA 1242
MADEIRA 1040WHITE
RA 2301RA 2609
RA 2618WHITE
GS/SULKY 1029GS/SULKY 1197
GS/SULKY 1040WHITE
FEBRUARY 13, 2008
CampusNetworkTraffic
❖ DAG (Data Acquisition and Generation) capture card
❖ packet duplication
❖ port filtering
❖ One experiment:
❖ 24 weekday hours
❖ peak load of 1.2Gbps
❖ nearly 100 billion packets
❖ 7.6 terabytes of data
Clear and Present DataAndrew M. White
Packets Analyzed
20
Clear and Present DataAndrew M. White
Network Exposure Difference
21
Attempted User Privilege Gain
Misc activity
Potentially Bad Traffic
A Client was Using an Unusual Port
A Network Trojan was Detected
Attempted Administrator Privilege Gain
Potential Corporate Privacy Violation
Unknown Traffic
0% 500% 1000% 1500% 2000%Percent Difference (Winnow vs. Snort)
Clear and Present DataAndrew M. White
Network Exposure Difference
21
Attempted User Privilege Gain
Misc activity
Potentially Bad Traffic
A Client was Using an Unusual Port
A Network Trojan was Detected
Attempted Administrator Privilege Gain
Potential Corporate Privacy Violation
Unknown Traffic
0% 500% 1000% 1500% 2000%Percent Difference (Winnow vs. Snort)
Clear and Present DataAndrew M. White
Network Exposure Difference
21
Attempted User Privilege Gain
Misc activity
Potentially Bad Traffic
A Client was Using an Unusual Port
A Network Trojan was Detected
Attempted Administrator Privilege Gain
Potential Corporate Privacy Violation
Unknown Traffic
0% 500% 1000% 1500% 2000%Percent Difference (Winnow vs. Snort)
Clear and Present DataAndrew M. White
Summary
❖ Opaque traffic: compressed or encrypted network traffic
❖ surprisingly high proportion (89% packets; 86% of payload)
❖ evaluated multiple techniques for identifying opaque packets
22
Clear and Present DataAndrew M. White
Summary
❖ Opaque traffic: compressed or encrypted network traffic
❖ surprisingly high proportion (89% packets; 86% of payload)
❖ evaluated multiple techniques for identifying opaque packets
❖ Explored winnowing (i.e., filtering) opaque packets
❖ first step toward coping with opaque traffic
❖ improves accuracy vs. resources curve (more signatures can be applied to transparent traffic)
❖ not a solution by itself, but a tool in the toolbox
22
Thanks!
N. Cascarano, A. Este, F. Gringoli, F. Risso, and L. Salgarelli. An experimental evaluation of the computational cost of a DPI traffic classifier. Global Telecommunications Conference, 2009.
H. Dreger, A. Feldmann, V. Paxson, and R. Sommer. Operational experiences with high-volume network intrusion detection. CCS, 2004.
F. Schneider, B. Ager, G. Maier, A. Feldmann, S. Uhlig. Pitfalls in HTTP Traffic Measurements and Analysis. PAM, 2012.