Obfuscating network traffic from previously collected network traffic

摘要

An obfuscated network traffic server is operative to generate obfuscated network traffic. The obfuscated network traffic server maintains the relationship between extracted application content and extracted network header content such that the obfuscated network traffic is indistinguishable from the monitored network traffic. The obfuscated network traffic server may include a network monitor operative to monitor network traffic and to extract application content and network header content from the monitored network traffic. The obfuscated network traffic server may also include a data masking processor operative to mask a portion of the separated application content and/or the separated network header content. The obfuscated network traffic server may further include a masking attribute selector operative to specify the attributes of the application content and/or the network header content that is to be masked.

主权项

1. A system for generating obfuscated network traffic, the system comprising:
a network monitor for separating a first network traffic flow into application content and network header content based on a first network model by separately extracting the application content and network header content in accordance with the first network model; a computer-readable storage device comprising:
an application content database operative to store application content extracted from the first network traffic flow by the network monitor;a network header content database operative to store network header content extracted from the first network traffic flow by the network monitor; andan obfuscated network traffic database operative to store obfuscated network header content; a masking attribute selector operative to receive an input specifying one or more network header attributes to be masked; a data masking processor operative to:
retrieve the network header content stored in the network header content database; andmask at least a selected portion of the network header content to generate the obfuscated network header content, wherein the data masking processor is further operative to mask the selected portion of the network header based on the input received by the masking attribute selector; and an obfuscated network traffic request interface operative to:
receive a request for obfuscated network traffic; andtransmit the obfuscated network header content stored in the obfuscated network traffic database based upon the request for obfuscated network traffic; where said mask is at least one of: a bitwise operation, analyzing the IP addresses in the network header content and changing or replacing the IP addresses with a set of IP addresses, replacing one or more network priority bits of the network header content with a different but consistent set of network priority bits, replacing one or more portions of the network header content requested from the network header content database, replacing content with content stored in another database, and replacing content with randomly generated content or pseudo-randomly generated content.