標題: 網路流量重播效果之評估
Effectiveness in Replaying Real Traffic: An Evaluation
作者: 沙荷西
Sagastume Jacobo, Jose Miguel
林盈達
Lin, Ying-Dar
電機資訊國際學位學程
關鍵字: 網路測試;流量重播;事件重製率;有效性;network testing;traffic replay;event reproduction ratio;effectiveness
公開日期: 2012
摘要: 對於網絡安全產品的測試,真實流量的錄製和重播是很重要的。然而,在相同的測試情境中,重播流量應能有效地重製在實際流量中由待測物所引發的事件。這個研究提出方法來計算封包或連線事件的事件重製率和重播工具的有效性。在這項研究中使用了SocketReplay及Tcpreplay。結果表明,流量內容和重播策略和待測物的通過規則,可以顯著地影響事件的重播率和重播工具的有效性。例如,流量中含有很多不完整的連接,或重播策略是以連線為基準,而不是時間戳記為基準,將會大大地減低事件的重播率和的重播工具的有效性。結果,雖然SocketReplay 可以準確地建立正確的TCP對話,可是SocketReplay 的事件重播率只達到38.74% 的TCP 流量,導致對封包傳遞和阻止事件的有效性分別為99.97% 和0.00%,而CIDR模式的Tcpreplay的事件重播率達到了99.99% 的TCP 流量,導致對封包傳遞和阻止事件的有效性分別為99.73% 和75.64%。此處,錄製的的流量有很多不完整的連接且事件的觸發是基於啟發式或識別的規則。適當重播工具的選擇及重播政策的選定,應取決於所我們錄製的流量內容,以避免事件重製率與重播工具的有效性出現顯著的下跌。
Capturing and replaying real flows are important for testing network security products. However, under the same testing scenario, replayed traffic should effectively reproduce the events triggered by DUTs as the live traffic. This work presents methods to calculate the event reproduction ratio and the effectiveness of replay tools, based on packet events and connection events. The stateful SocketReplay and the stateless Tcpreplay were applied in this study. Results indicated that the traffic contents, the replay policies, and DUT filtering rules can significantly affect the event reproduction ratio and the effectiveness of replay tools. For example, traffic with a lot portion of incomplete connections and replay policies based on connections, rather than timestamp, can considerably impair the event reproduction ratio and the effectiveness of replayers. The results show that SocketReplay, which can accurately establish the correct TCP session, can only replay 38.74% TCP traffic, resulting in 99.97% and 0.00% of effectiveness of passing and blocking event ratio, respectively, while Tcpreplay with CIDR mode can replay 99.99% TCP traffic, resulting in 99.73% and 75.64% of effectiveness of passing and blocking event ratio, respectively, when captured traffic have many incomplete connection and events are triggered by heuristic based rules and signature based rules. The choice of a proper replayer and its replay policies should depend on the traffic contents we captured to avoid a significant drop of event reproduction ratio and the effectiveness of replayers.
URI: http://140.113.39.130/cdrfb3/record/nctu/#GT079903502
http://hdl.handle.net/11536/48979
Appears in Collections:Thesis


Files in This Item:

  1. 350201.pdf
  2. 350201.pdf
  3. 350201.pdf