CovertMark.strategy.length_clustering module

class CovertMark.strategy.length_clustering.LengthClusteringStrategy(pt_pcap, negative_pcap=None, debug=True)[source]

Bases: CovertMark.strategy.strategy.DetectionStrategy

Detecting polling-based PTs such as meek by clustering the payload length of TLS-loaded TCP packet, useful for PTs with frequent directional pings with small and not greatly varying lengths of payloads.

DESCRIPTION = 'Detecting low-payload heartbeat messages.'
MEANSHIFT_BWS = [1, 2, 3, 5, 10]
MINIMUM_TPR = 0.4
NAME = 'Length Clustering Strategy'
RUN_CONFIG_DESCRIPTION = ['MeanShift bandwidth', 'Using top N clusters']
TLS_INCLUSION_THRESHOLD = 0.1
TLS_MODES = ['all', 'only', 'none']
USE_TOP_CLUSTERS = [1, 2]
config_specific_penalisation(config_set)[source]

The smaller the cluster bandwidth, the easier it is to perform live TCP payload length-based interceptions. Therefore 2.5% of penalty for every 1 extra byte value in the cluster beyond the minimum cluster size used across the board.

interpret_config(config_set)[source]

Bandwidth and number of clusters used distinguish length clustering runs.

negative_run(**kwargs)[source]

Now we check the identified lengths against negative packets. Because TLS packets with TCP payload lengths as small as meek’s are actually very rare, this simple strategy becomes very effective.

Parameters:
  • bandwidth (int) – the bandwidth used for meanshift clustering payload lengths.
  • clusters (int) – the number of top length clusters to use in classification.
positive_run(**kwargs)[source]

Because this simple strategy is based on common global TCP payload lengths, the identified packet ratio is not very useful here and will be fairly low (33-80%).

Parameters:
  • bandwidth (int) – the bandwidth used for meanshift clustering payload lengths.
  • clusters (int) – the number of top length clusters to use in classification.
report_blocked_ips()[source]

Return a Wireshark-compatible filter expression to allow viewing blocked packets in Wireshark. Useful for studying false positives.

Returns:a Wireshark-compatible filter expression string.
run_strategy(**kwargs)[source]

PT clients and servers in the input PCAP should be specified via data.constants.IP_SRC and data.constants.IP_DST respectively, while negative clients should be specified via data.constants.IP_SRC.

Parameters:tls_mode (str) – Optionally set tls_mode between “all”, “only”, or “none” to test all packets, TLS packets only, or non-TLS packets only. Set it as “guess” or omit this parameter for the strategy to guess.
set_strategic_filter()[source]

When detecting meek, it would be trivial to simply ignore all non-TLS packets. However for a generalised strategy use/disregard of TLS packets should be determined by inspecting the positive packets instead. Therefore it is only necessary to filter out TCP packets with no payload.

test_validation_split(split_ratio)[source]

Not currently needed, as a fixed strategy is used.