CovertMark.strategy.entropy_dist module
- class CovertMark.strategy.entropy_dist.EntropyStrategy(pt_pcap, negative_pcap=None, debug=True)[source]
Bases:
CovertMark.strategy.strategy.DetectionStrategy
Detecting high-entropy encryption based on payload byte-uniformity and entropy-distribution tests on TCP payloads in both directions.
- BLOCK_SIZE = 8
- BLOCK_SIZES = [16, 32, 64]
- CRITERIA = [3, 2, 1]
- CRITERIA_DESCRIPTIONS = {1: 'sensitive', 2: 'majority voting', 3: 'conservative'}
- DESCRIPTION = 'Detecting high-entropy PTs based on payload byte-uniformity and entropy-distribution.'
- FALSE_POSITIVE_SCORE_WEIGHT = 0.5
- MAX_CRITERION = 3
- MIN_TEST_SIZES = [1024, 512, 256, 128]
- NAME = 'Entropy Distribution Strategy'
- P_THRESHOLD = 0.1
- RUN_CONFIG_DESCRIPTION = ['Block Size', 'Test Size', 'Criterion']
- TLS_HTTP_INCLUSION_THRESHOLD = 0.1
- config_specific_penalisation(config_set)[source]
Byte block sizes and min test sizes for entropy uniformity and distribution tests will have already inversely proportionally affected the positive execution time. Therefore the only additional penalty is based on the number of statistical run needed as determined by the number of agreements required, with 10% penalty for each additional statistical tests beyond the minimum.
- interpret_config(config_set)[source]
Block size, p-value threshold, and criteria distinguish entropy distribution tests.
- negative_run(**kwargs)[source]
Test an identical configuration on negative packets. Reporting falsely blocked IPs.
- Parameters
block_size (int) – the size of blocks of payload bytes tested in KS and AD. Default is set in
BLOCK_SIZE
.test_size (int) – the minimum number of bytes tested in each payload for testing, with default set in
TEST_SIZES
.criterion (int) – the number of rejected hypothesis among all tests needed to reach a positive conclusion.
- positive_run(**kwargs)[source]
Three different criteria of combining results from KS byte-uniformity and Entropy Distribution, and Anderson_Darling tests together, with variable min tested payload sizes and test block sizes. Results from these tests detect uniformly high entropy payloads that are likely results of pseudo-random encryptions.
- Parameters
block_size (int) – the size of blocks of payload bytes tested in KS and AD. Default is set in
BLOCK_SIZE
.test_size (int) – the minimum number of bytes tested in each payload for testing, with default set in
TEST_SIZES
.criterion (int) – the number of rejected hypothesis among all tests needed to reach a positive conclusion.
- report_blocked_ips()[source]
Return a Wireshark-compatible filter expression to allow viewing blocked packets in Wireshark. Useful for studying false positives.
- Returns
a Wireshark-compatible filter expression string.
- run_strategy(**kwargs)[source]
PT input filters should be given as
data.constants.IP_SRC
anddata.constants.IP_DST
, and changed around if testing for downstream rather than upstream direction. Negative input filters specifying innocent clients should be given as andata.constants.IP_SRC
.- Parameters
protocol_min_length (int) – Optionally set the minimum handshake TCP payload length of packets in that direction, allowing disregard of short packets.