Congestion avoidance and control
SIGCOMM '88 Symposium proceedings on Communications architectures and protocols
TCP/IP illustrated (vol. 1): the protocols
TCP/IP illustrated (vol. 1): the protocols
On the self-similar nature of Ethernet traffic (extended version)
IEEE/ACM Transactions on Networking (TON)
TCP/IP illustrated (vol. 2): the implementation
TCP/IP illustrated (vol. 2): the implementation
Wide area traffic: the failure of Poisson modeling
IEEE/ACM Transactions on Networking (TON)
Self-similarity and heavy tails: structural modeling of network traffic
A practical guide to heavy tails
TCP in presence of bursty losses
Proceedings of the 2000 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
The 1999 DARPA off-line intrusion detection evaluation
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on recent advances in intrusion detection systems
ACM Transactions on Information and System Security (TISSEC)
Self-Similar Network Traffic and Performance Evaluation
Self-Similar Network Traffic and Performance Evaluation
Qos measurement and management for internet real-time multimedia services
Qos measurement and management for internet real-time multimedia services
Cyber defense technology networking and evaluation
Communications of the ACM - Homeland security
NetScope: traffic engineering for IP networks
IEEE Network: The Magazine of Global Internetworking
On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits
Proceedings of the 12th ACM conference on Computer and communications security
Real-time volume control for interactive network traffic replay
Computer Networks: The International Journal of Computer and Telecommunications Networking
Hi-index | 0.00 |
A TCPdump file captures not only packets but also various “properties” related to the live TCP sessions on the Internet. It is still an open problem to identify all the possible properties, if ever possible, and more importantly, which properties really matter for the consumers of this particular TCPdump file and how they are related to each other. However, it is quite clear that existing traffic replay tools, for the purpose of system evaluation, such as TCPreplay destroyed at least some of critical properties such as “ghost acknowledgment” (while the origin packet has never been delivered), which is a critical issue in conducting experimental evaluations for intrusion detection systems. In this paper, we present a software tool to transform an existing TCPdump file into another traffic file with different “properties”. For instance, if the original traffic is being captured in a laboratory environment, the new file might “appear” to be captured in between US and Sweden. The transformation we have done here is “heuristically consistent” as there might be some hidden properties still being destroyed in the transformation process. One interesting application of our tool is to build long-term profiles to detect anomalous TCP attacks without really running the target application over the Internet. While, in this paper, we only focus on property-oriented traffic transformation, we have built and evaluated an interactive version of this tool, called TCPopera, to evaluate commercial intrusion prevention systems.