從真實網路流量中萃取與重製攻擊流量

Abstract

一個系統是否安全通常會使用弱點偵測的工具來進行測試，有一類弱點偵測的工具是使用外部的網路流量去詢問一個系統的某一服務是否開啟來找尋系統是否有漏洞。然而這樣的測試並不能精準的抓出系統的缺點，因其並非真知道系統漏洞可否破壞，因此我們想利用真實的網路攻擊來測試系統的弱點。事實上，真實的網路攻擊並不容易收集，因此本研究設計了一個攻擊流量的萃取系統。這個萃取攻擊流量的系統主要有三個重點，第一，本系統利用播放錄製的流量到入侵探測和防護系統來取得警示紀錄。第二，根據警示紀錄從真實流量中找出令入侵探測和防護系統發出警示的最重要封包，藉由前兩個重點，有相同網路特徵值的封包集合則稱為一個網路攻擊連線。然而，一個網路攻擊可能會有多個來源，或者一個來源卻有多條連線，因此，本研究經過分析觀察後設計了第三個重點。第三個重點是藉由內容相似度比對來找出多個來源的攻擊。透過萃取攻擊流量系統所取得的83%攻擊是不容易受外在影響而變化的，在低變化量攻擊中有71%的攻擊是可被驗証為完整且無雜質的。透過此系統的協助，本研究除了可以萃取出完整無雜質的攻擊外，同時也透過這些被萃取的攻擊來比較與弱點偵測的工具流量的差異性。

The tools of vulnerability assessment (VA) can be used to check the system security. One kind of the VA tools is using the network traffic to request the system service and waiting the response of the service. By the response of the service, the VA tool can find out the vulnerability of the system. However, this tool can not actually find out the vulnerability of the system because the tool can not check the vulnerability of the system is destruct or not. Therefore, we need to use the real attacks to test the system vulnerability. In fact, the real attacks are difficult to collect. Therefore, this work proposes an attack session extraction system. The attack session extraction system has the three key points. First, the attack session extraction system is replaying the recorded traffic to IDP products to get alarm logs. Second, the attack session extraction system found out the critical packet that the IDP products make alarm by the alarm logs. The first and second key points of the attack session extraction system can find out the packets that have the same network characteristic and merge to a set as a connection of network attacks. However, a network attack maybe have many attackers or single attacker but multi connections. Therefore, this work analyzed the attacks and designed the third key point. The third key point is using the packet payload similarity to find out the attacks that have the multi attackers. The 83% of the extracted attacks have low variation. The 71% of the low variation attacks can be verified as completeness and purity. By the help of attack session extraction, this work can extract the complete attacks and also use the extracted attacks to compare the different between the VA tools and real attacks.