CovertMark.strategy.length_clustering module
- class CovertMark.strategy.length_clustering.LengthClusteringStrategy(pt_pcap, negative_pcap=None, debug=True)[source]
Bases:
CovertMark.strategy.strategy.DetectionStrategy
Detecting polling-based PTs such as meek by clustering the payload length of TLS-loaded TCP packet, useful for PTs with frequent directional pings with small and not greatly varying lengths of payloads.
- DESCRIPTION = 'Detecting low-payload heartbeat messages.'
- MEANSHIFT_BWS = [1, 2, 3, 5, 10]
- MINIMUM_TPR = 0.4
- NAME = 'Length Clustering Strategy'
- RUN_CONFIG_DESCRIPTION = ['MeanShift bandwidth', 'Using top N clusters']
- TLS_INCLUSION_THRESHOLD = 0.1
- TLS_MODES = ['all', 'only', 'none']
- USE_TOP_CLUSTERS = [1, 2]
- config_specific_penalisation(config_set)[source]
The smaller the cluster bandwidth, the easier it is to perform live TCP payload length-based interceptions. Therefore 2.5% of penalty for every 1 extra byte value in the cluster beyond the minimum cluster size used across the board.
- interpret_config(config_set)[source]
Bandwidth and number of clusters used distinguish length clustering runs.
- negative_run(**kwargs)[source]
Now we check the identified lengths against negative packets. Because TLS packets with TCP payload lengths as small as meek’s are actually very rare, this simple strategy becomes very effective.
- Parameters
bandwidth (int) – the bandwidth used for meanshift clustering payload lengths.
clusters (int) – the number of top length clusters to use in classification.
- positive_run(**kwargs)[source]
Because this simple strategy is based on common global TCP payload lengths, the identified packet ratio is not very useful here and will be fairly low (33-80%).
- Parameters
bandwidth (int) – the bandwidth used for meanshift clustering payload lengths.
clusters (int) – the number of top length clusters to use in classification.
- report_blocked_ips()[source]
Return a Wireshark-compatible filter expression to allow viewing blocked packets in Wireshark. Useful for studying false positives.
- Returns
a Wireshark-compatible filter expression string.
- run_strategy(**kwargs)[source]
PT clients and servers in the input PCAP should be specified via
data.constants.IP_SRC
anddata.constants.IP_DST
respectively, while negative clients should be specified viadata.constants.IP_SRC
.- Parameters
tls_mode (str) – Optionally set tls_mode between “all”, “only”, or “none” to test all packets, TLS packets only, or non-TLS packets only. Set it as “guess” or omit this parameter for the strategy to guess.
- set_strategic_filter()[source]
When detecting meek, it would be trivial to simply ignore all non-TLS packets. However for a generalised strategy use/disregard of TLS packets should be determined by inspecting the positive packets instead. Therefore it is only necessary to filter out TCP packets with no payload.