Benchmarking Security Technologies with Real Flows by Replaying Traces
Lin Bao-Shuh Paul
|關鍵字:||重播測試;待測物;實地測試;實驗室測試;萃取;誤判;漏判;資訊重組;封包遺失;狀態;Replay Test;System Under Test (SUT);Field Test;Lab Test;Extraction;False-Positive;False-Negative;Information Reorganization;Packet Loss;State|
PCAP Library系統架構中包括了五大元件，這五大元件分別是流量錄製、流量分類與萃取、資訊重組、詢問以及流量重播，流量錄製時要避免封包遺失(packet loss)及存儲空間效率低落，流量分類與萃取時要將錯誤的機率壓低，資訊重組時要注意資訊尋找與更新，詢問時要兼顧效能及正確性，流量重播時必須讓流量的狀態(stateful)盡可能的重現。預期在一年內可以發展出與重播測試相關三種類型的Generic技術其中包括重播、萃取及分類，發表流量重播相關專利與論文如: low-storage capture and loss-recovery selective replay、proxy replay、replay ineffectiveness factors analysis、techniques for PCAP library、classification state machines、PCAP Lib 1.0: overview and case studies，研發socket replay與proxy replay兩套重播工具及PCAP Library應用系統，同時將執行至少上三件以上的資安產品測試案。|
"Replay Test" first captures network traffic into a file, called "trace", and then replays the trace to stimulate defects of System Under Test (SUT). It combines the advantages of reality and controllability in the Field Test and Lab Test, respectively. Defects found by "Replay Test" can be reproduced more easily than those found by "Field Test" since what we need to do to reproduce them is just replaying the trace again. The objective of this project is to provide security technologies with a generic tool set for Replay Test. This tool set contains Capture, Replay, Classification, and Extraction. They can be used to reproduce real-world defects more efficiently than Field Test. Besides, the traffic which causes defects can also be searched out and offered to developers for further analysis and debugging. Each of these tools can be solo exercised, but what we want to do is to integrate all of them to become a very useful system, named "PCAP Library". The main function of PCAP Library is to stimulate false-positive and false-negative problems in the security technologies. The traffic which causes false-positive and false-negative problems can be supplied for developers to analyze and increase the accuracy of security technologies. There are five components in the PCAP Library, which are traffic capturing, traffic classification and extraction, information reorganization, querying, and traffic replaying. Some issues exist and need to be paid attention. For examples, traffic capturing should avoid packet loss and inefficient utilization of storage, traffic classification and extraction require high accuracy, information reorganization concerns lookup and update, querying needs to consider both performance and accuracy, traffic replaying has to be careful about the state of flows. This project aims to develop three kinds of security technologies and to propose related patents and papers, including low-storage capture and loss-recovery selective replay, proxy replay, replay ineffectiveness factors analysis, techniques for PCAP library, classification state machines, PCAP Lib 1.0 and to execute at least three testing cases.
|Appears in Collections:||Research Plans|
Files in This Item: