Attack Session Extraction and Replay from Real Traffic

• Main Authors: Chi Chung Luo, 羅棨鐘
• Other Authors: Ying Dar Lin
• Format: Others
• Language: en_US
• Published: 2006
• Online Access: http://ndltd.ncl.edu.tw/handle/67261828776226307289

碩士 === 國立交通大學 === 資訊科學與工程研究所 === 94 === The tools of vulnerability assessment (VA) can be used to check the system security. One kind of the VA tools is using the network traffic to request the system service and waiting the response of the service. By the response of the service, the VA tool can find out the vulnerability of the system. However, this tool can not actually find out the vulnerability of the system because the tool can not check the vulnerability of the system is destruct or not. Therefore, we need to use the real attacks to test the system vulnerability. In fact, the real attacks are difficult to collect. Therefore, this work proposes an attack session extraction system. The attack session extraction system has the three key points. First, the attack session extraction system is replaying the recorded traffic to IDP products to get alarm logs. Second, the attack session extraction system found out the critical packet that the IDP products make alarm by the alarm logs. The first and second key points of the attack session extraction system can find out the packets that have the same network characteristic and merge to a set as a connection of network attacks. However, a network attack maybe have many attackers or single attacker but multi connections. Therefore, this work analyzed the attacks and designed the third key point. The third key point is using the packet payload similarity to find out the attacks that have the multi attackers. The 83% of the extracted attacks have low variation. The 71% of the low variation attacks can be verified as completeness and purity. By the help of attack session extraction, this work can extract the complete attacks and also use the extracted attacks to compare the different between the VA tools and real attacks.