資安技術真實流量重播評比

Abstract

流量重播測試是利用重播被錄製成為檔案(traces)的真實網路流量到待測物以進行測試；它的好處在於結合實地測試與實驗室測試的優點，一方面有實地測試的真實性，另一方面又有實驗室測試的可控制性及問題可重製性，可讓利用真實流量測試下所發生的問題能夠快速地重製出來，以便技術跟產品開發者解決問題。本計畫的目的在於提供資安技術一組通用(Generic)的流量重播測試工具，其中包括了流量錄製、重播、分類以及萃取等功能。透過這些工具，除了可以快速地重製出真實網路環境下的問題之外，同時亦可找出觸發待測物問題的流量，以提供給開發者分析與除錯；這些工具除了可以獨立使用之外，我們也打算整合這些工具發展出一套應用系統「PCAP Library」，其最主要的功用在於測試資安技術發生誤判跟漏判的問題，並提供可能造成誤判及漏判的流量以幫助分析，進而提高資安技術的辨識準確度。PCAP Library系統架構中包括了五大元件，這五大元件分別是流量錄製、流量分類與萃取、資訊重組、詢問以及流量重播，要解決的問題各是：流量錄製時要避免封包遺失及存儲空間效率低落、流量分類與萃取時要壓低辨識與萃取的錯誤機率、資訊重組時要注意資訊尋找與更新、詢問時要兼顧效能及正確性、流量重播時必須是有狀態、盡可能的重現錄製時的環境情況。藉由執行中的一年計畫的努力，已經完成部分現有流量錄製、重播、分類及萃取工具的調查報告，預計在接下來的時間內除了繼續完成測試工具調查報告外，還能完成五大元件的開發及測試；也希望透過接下來的三年時間安排，可以完成「資安技術的投票機制」、「支援不同協定的重播工具」，以及「整合其他子計畫，擴大PCAP Library能力，使其可以支援不同應用情境及資安技術」等功能，以期最終能建構出功能齊全的流量重播工具組及PCAP Library應用系統。

’Replay Test’ first captures network traffic into a file, called ’trace’, and then replays the traces to trigger defects of ’System Under Test’(SUT). It combines the advantages of reality and controllability in the Field Test and Lab Test, respectively. Defects found by ’Replay Test’ can be reproduced more easily than those found by ’Field Test’ since what we need to do to reproduce them is just replaying the trace again.The objective of this project is to provide security technologies with a generic tool suite for Replay Test. This tool set contains Capture, Replay, Classification, and Extraction. They can be used to reproduce real-world defects more efficiently than Field Test. Besides, the traffic which causes defects can also be searched out and offered to developers for further analysis and debugging. Each of these tools can be solo exercised, but what we want to do is to integrate all of them to become a very useful system, named ’PCAP Library’. The main function of PCAP Library is to stimulate false-positive and false-negative problems in the security technologies. The traffic which causes false-positive and false-negative problems can be supplied for developers to analyze and increase the accuracy of security technologies.There are five components in the PCAP Library, which are traffic capturing, traffic classification and extraction, information reorganization, querying, and traffic replaying. Some issues exist and need to be paid attention. For examples, traffic capturing should avoid packet loss and inefficient utilization of storage, traffic classification and extraction require high classification and extraction accuracy, information reorganization concerns efficient operations for lookup and update, information querying needs to consider both performance and accuracy, and traffic replaying has to be careful about the right states of flows.With the help of current security project, some preliminary work has been done. For the new three-year plan, we plan to complete the survey, comparison, and development of the testing tools. Besides, the voting mechanisms of security techniques detection results, replaying traffic for different application protocol and scenarios and integrating other sub-projects are also involved.