資安技術真實流量實地評比---子計畫一：資安技術真實流量重播評比

Abstract

重播測試是將真實網路流量錄製成為檔案(traces)後再加以重播出來對待測物進行測試，它的好處在於綜合(combine)實地測試與實驗室測試的優點，一方面有實地測試的真實性另一方面又有實驗室測試的可控制性，可讓真實流量下所發生的問題更快速地重製便利開發者解決問題。 本計畫的目的在於提供資安技術一組通用(Generic)的重播測試工具，其中包括了流量錄製、流量重播、流量分類以及流量萃取，透過這些工具來進行重播測試除了可以快速地重製出真實環境下的問題之外，同時亦可找出造成待測物出問題的流量提供給開發者進一步地分析與除錯，這些工具除了可以獨立使用之外，我們打算整合這些工具發展出一套應用系統「PCAP Library」，其最主要的功用在於測試資安技術誤判跟漏判的問題並提供可能造成誤判及漏判的traces給開發者分析，進而提高資安技術的辨識準確度。 PCAP Library系統架構中包括了五大元件，這五大元件分別是流量錄製、流量分類與萃取、資訊重組、詢問以及流量重播，流量錄製時要避免封包遺失(packet loss)及存儲空間效率低落，流量分類與萃取時要將錯誤的機率壓低，資訊重組時要注意資訊尋找與更新，詢問時要兼顧效能及正確性，流量重播時必須讓流量的狀態(stateful)盡可能的重現。預期在一年內可以發展出與重播測試相關三種類型的Generic技術其中包括重播、萃取及分類，發表流量重播相關專利與論文如: low-storage capture and loss-recovery selective replay、proxy replay、replay ineffectiveness factors analysis、techniques for PCAP library、classification state machines、PCAP Lib 1.0: overview and case studies，研發socket replay與proxy replay兩套重播工具及PCAP Library應用系統，同時將執行至少上三件以上的資安產品測試案。

"Replay Test" first captures network traffic into a file, called "trace", and then replays the trace to stimulate defects of System Under Test (SUT). It combines the advantages of reality and controllability in the Field Test and Lab Test, respectively. Defects found by "Replay Test" can be reproduced more easily than those found by "Field Test" since what we need to do to reproduce them is just replaying the trace again. The objective of this project is to provide security technologies with a generic tool set for Replay Test. This tool set contains Capture, Replay, Classification, and Extraction. They can be used to reproduce real-world defects more efficiently than Field Test. Besides, the traffic which causes defects can also be searched out and offered to developers for further analysis and debugging. Each of these tools can be solo exercised, but what we want to do is to integrate all of them to become a very useful system, named "PCAP Library". The main function of PCAP Library is to stimulate false-positive and false-negative problems in the security technologies. The traffic which causes false-positive and false-negative problems can be supplied for developers to analyze and increase the accuracy of security technologies. There are five components in the PCAP Library, which are traffic capturing, traffic classification and extraction, information reorganization, querying, and traffic replaying. Some issues exist and need to be paid attention. For examples, traffic capturing should avoid packet loss and inefficient utilization of storage, traffic classification and extraction require high accuracy, information reorganization concerns lookup and update, querying needs to consider both performance and accuracy, traffic replaying has to be careful about the state of flows. This project aims to develop three kinds of security technologies and to propose related patents and papers, including low-storage capture and loss-recovery selective replay, proxy replay, replay ineffectiveness factors analysis, techniques for PCAP library, classification state machines, PCAP Lib 1.0 and to execute at least three testing cases.