| In the past few years, the use of commercial intrusion detection system (IDS) technology has grown considerably, and IDSs are now standard equipment for large networks. However, quantitative IDS performance measurements are not available because there are research hurdles that must be overcome before we can create IDS tests. One of these problems is that how to simulate background traffic in IDS evaluation.In this paper we first analysis the challenges in IDS test, and then pointed out both the importance of the simulation of background traffic and the problem that it faced. We also talk about the efforts and techniques in this field .At last we gave the main idea of simulating traffic in the test.We developed our own replay traffic system, which the main idea comes from the tcpreplay, it depends on two network-programming library libpcap and libnet. The system use Snort's log as the prototype and replay ethernet packets stored in a Log file as they were captured.There are three steps in realization: the processes of the log file, the process of control and replay the traffic according to the need.Log file is the origin of the traffic, so we must understand the principle of sniff on the network, the sniffer that we used in the test first. Then analysis the component of the dump file which sniffer produced. After understanding all the detail information in the log file, we build some data structures that represent this information. At the end according to the protocol by which the packet was encapsulated, we abstract the most useful data information about the traffic and fill them in the corresponding data structure that we build.During the process of control, we edit all the information that we got in the log in order to meet the demands in the test. All these control process include replay speed control, multiple control, reset IP address and MAC address information, truncated packet process etc. In the process of speed, we adjusted the interval between two packets. If want to speed up , we can shorten the interval ,otherwise we extends it by calling sleep function . In multiple controls, we should calculate how many bytes we sent per second, and then adjust the timestamp in every packet in order to make sure that we sent it in the accurate time. Reset address information is some kind easier than other controls; we need only fill new data in address data structure that we defined. To make new IP address automatically, we setup a procedure to generate random IP address with a given number. There are packets, which is truncated by sniffer. To replay these packets, we should either readjust the length of the packet that recorder in log file or fill data in data field in order to fit the length.In the test, it can replay both attack traffic and background traffic, and work well with other software in the system. Although the Libpcap had been transplanted to windows named winpcap, Libnet has no such a version of windows. So the replay system can only work on the Linux or Unix. With the development of Libnet, it can be solved and transplanted to windows system.The system has most functions of replaying the network traffic, but still has the problem of security of code, executive speed and etc. These will be improved later.
|
PDF Full Text Request