真實流量測試平台上的網路鑑識

Abstract

現存的網路安全防護機制透過『深層封包檢查』(Deep Packet Inspection)比對通過 網路裝置的封包應用層表頭或內容(application header or payload)，檢查是否存在某些特 徵字串(Signature)，如果有就加以阻擋並產生Log，這類的網路防護機制我們稱為無狀 態的(Stateless)，因為只能知道及記錄有發生什麼事件而無法還原(Reproduce)事件發生 之流程，只有偵測(Detection)而無鑑識(Forensics)。相反的，如果錄下完整事件過程， 可以還原事件作為鑑識，就稱為有狀態的(Stateful)。如果以偵測為主的Stateless 防護機 制是在Security 1.0 的進程，那麼未來以鑑識為目標的Stateful 防護機制就是將進程推 進至Security 2.0，這項努力的意義是遠大的。有狀態(States)的網路防護機制可以連續 (Continuous)記錄，或是針對特定事件片段(Piece-Wise)記錄事件發生的過程。連續記錄 錄的資料量太大且不容易在錄的大量資料中找出事件相關過程，所以比較好的模式是 片段狀態式(Piece-Wise Stateful)，可以只錄事件相關之片段或從完整錄到的資料中 抽取出事件相關片段。不論是哪種方式，都需要萃取的方法，即時或非即時的抓出特 定事件以便還原及鑑識。 這個三年計畫的整體目標是利用交大計中與網路測試中心的真實流量測試平台 (Beta Site)發展與驗證一個片段狀態式網路鑑識系統，開發可在Gigabit 及10Gbps Ethernet 上運作的四項網路鑑識技術及三項網路鑑識應用。四項技術分別是(1)錄製 (Capture)/重播(Replay)技術、(2)應用分類技術(Application Classification)、(3)特定流量 萃取(Extraction of Concerned Traffic)，及(4)多點鑑識(Multi-point Forensics)；三項應用 分別是(1)一套完整片段狀態式網路鑑識系統—軟性即時網路鑑識系統(Soft Real-Time Network Forensics System)、(2)產品錯誤重製(Bug Reproduction)、(3)PCAP 流量檔案函 式庫(Libraries of PCAP files)。第一年目標是在1Gbps Ethernet 環境上完成前三項技術。 第二年完成在1Gbps Ethernet 上多點鑑識技術及三項應用。第三年將成果提升用在 10Gbps Ethernet 的環境。

Existing network security mechanisms examine application headers and payloads of packet flows against signature databases. Such practices are known as deep packet inspection. If matched, the packets are blocked and logged. These mechanisms are stateless since they detect and log the concerned events but could not reproduce the events, i.e. only detection but no forensics. On the contrary, if the traffic of an event, i.e. the states, can be recorded and later reproduced to do forensics, we have the chance to push the current stateless network security, named as security 1.0, to the next-generation stateful network security, named as security 2.0, which appears to be a sound vision to pursue. The states could be recorded continuously on all traffic or only piece-wisely on specific events. Apparently the continuous recording would have traffic volume explosion and difficulties to search for specific events. Thus, the piece-wise recording is a better model, though it requires some non-trivial extraction of specific events by either real-time on-line detection of these events from the raw traffic or non-real-time off-line extraction from the recorded traffic. This 3-year project aims, by leveraging the beta site with real live traffic managed by the NCTU Computer Center (CC) and Network Benchmarking Lab (NBL), to develop and test a piece-wise stateful network forensics system which calls for research on 4 forensics techniques and 3 forensics applications. The 4 techniques include traffic capture and replay, application classification, extraction of concerned traffic, and multi-point forensics, while the 3 applications are a fully integrated piece-wise stateful network forensics system, named as soft real-time network forensics system, bug reproduction, and libraries of PCAP files. In the 1st year, we intend to complete the 1Gbps-Ethernet version of the first three forensics techniques. In the 2nd year, we extend to the multi-point forensics and the three forensics applications. These 1Gbps-Ethernet solutions are to be upgraded to their 10Gbps-Ethernet version in the 3rd year.