| The appearance of the Internet has greatly facilitated people's life, but with the wider use of Internet, trojans, viruses, and malicious intrusions disserve people's normal use of network. As a result, network security has become very important in today's society.Network intrusion means the illegal actions which destroy the integrity, confidentiality and availability of the network information, which will cause the loss of network resources and system collapse. All the events that disobey the security policy will be regarded as the intrusion behavior. And the intrusion detection system can detect the safety status of the system and identify the suspicious and non-authorized network behavior by collecting and analyzing information from the key points of the computer system and network.However, the Intrusion Detection System has some weaknesses. With the rapid development of network technologies, network hardware is continually updated, and it greatly accelerates the network transfer speed. But the faster network transfer speed give the normal intrusion detection system a heavy burden, which also means that the intrusion detection system is not absolutely reliable. When the intrusion detection system itself is being invaded, it will not effectively deal with other intrusion events in network. Furthermore, the imperfections of the Pattern Recognition technology will cause the high false alarm rate of the intrusion detection system. Therefore, the intrusion detection system has developed to a certain stage, in which the evaluation of intrusion detection systems is required more strictly. The consumer and designer both want to find an easy and reasonable method to fairly and credibly evaluate the intrusion detection system.Regardless of the kind of evaluation, they all need specific network traffic for test. But in the evaluation, the intrusion detection system will not be under the real network environment, as the actual network environment is not controllable, and the actual network environment is also too exclusive, which make it difficult to take accurate test. In general, we need to build a dedicated network environment for testing purposes.In order to solve the problem of testing Intrusion Detection, we need to generate network traffic to test intrusion detection systems. The network traffic can be divided into non-malicious traffic and malicious traffic. This thesis focuses on how to simulate the non-malicious network traffic which is called the background traffic.There are some similar problems in the existing network traffic simulating tools, such as, they can not generate the network traffic that we need, the payload of the traffic cannot be changed flexibly, or some of simulation tools only have the ability to test network protocols which can not generate real network traffic. These weaknesses will affect the evaluation of intrusion detection system. In addition, some network traffic generator is designed to test network equipment and they are not concerned about the network traffic payload content, which may be randomly generated. The randomly generated content of the payload will cause some problems. For instance, they may bring about false alarm and incorrect results of the intrusion detection system test, as the content of the payload cannot be controlled and the stress of the intrusion detection system is unpredictable.In order to simulate the network traffic , it is necessary to analyze and summarize the real condition of the network environment. In real network environment, some application-level services will often be used, such as HTTP and FTP services, but some not often be used, such as Telnet and so on. Through our monitor of the network traffic and the analysis of the results, we can calculate the percentage of each type of network services in total traffic and get the nearly real network traffic by using the calculated results.Background traffic is composed of different protocols, which correspond to different network applications, and different applications have different payload contents, while payload contents in the same kind of application do have some similarity. As a result, we can classify the payload contents with different protocols, and create different payload pools. When we simulate the network traffic, we can select payloads from payload pools according to the protocol.Just as the work already done before, we need to analyze the actual network environment and get the usage rates, then we can use network traffic generator to simulate network traffic based on the results which we have done.When we start to develop the network traffic generator, we should do some work in network transport layer. There are TCP and UDP protocols in transport layer. TCP protocol is connection-oriented, while UDP protocol is not, so we should build different modules to implement them. These modules include lots of network actions provided by the socket, which facilitate the later work. In application layer, the header format and the payload content are all different. In real network environment, the workstation and the sever use various network programs that use different application-layer protocols. We should take different method to combine the packet header and the payload and transfer them according to different protocols. In this way, we can simulate the application-layer traffic. It means that we should simulate specific network traffic in network application layer.The simulation of network background traffic need to control the traffic speed. It means that we need to limit the simulation traffic rate to a certain range. For example, we need to limit the current HTTP traffic speed to 50KB/S or limit the current FTP traffic to 300KB/S. So we need an algorithm to control the simulated network traffic rate. Without the speed control, the traffic that generated by the network traffic generator may use up the network bandwidth. In this article, we use the bucket algorithm to control traffic generating speed.After the necessary analysis, we begin to design the actual module of the background traffic generator. In network transport layer, we build UDP module and TCP module for use, which is the basis of the modules of application layer. In application layer, we build HTTP module, FTP module and DNS module to generate different network traffic. The design methods of these modules are different. Finally we have fulfilled the task and tested each module. The results of the test indicate that the background traffic generated by the modules can meet the requirements of the Intrusion Detection System test. Meanwhile, the successful design of these modules indicate that we can realize other modules of application-layer . And we can get different network background traffic which Intrusion Detection System tests need by continuously improve the network background traffic generator. |
PDF Full Text Request