Journal of KIISE:Information Networking (한국정보과학회논문지:정보통신)

Korean Institute of Information Scientists and Engineers (한국정보과학회)
권호 표지

A Design of Flexible Testbed for Network Security Evaluation

네트워크 보안 평가를 위한 유연한 테스트베드 설계

  • 임이진 (성균관대학교 정보통신공학부) ;
  • 최형기 (성균관대학교 정보통신공학부) ;
  • 김기윤 ((주)파이오링크)
  • Published : 2010.02.15
Download PDF
⟨ Previous Next ⟩

Abstract

We present a testbed for collecting log information and evaluating network security under various attacks. This testbed is modeled on real Internet, where attack traffic coexists with normal traffic. Attacks can be produced either by attack tools directly or by data sets including attack traffic. It costs less time and money than existing ones which are both costly and often time consuming in constructing. Also, it can be easily revised or extended according to the traffic types or the uses. Therefore, using our testbed can make various tests more efficient and facilitate collecting log information of sensors with attacks. We discuss how to use our testbed through replay procedures of DDoS attack and worm. We also discuss how we surmount some difficulty in constructing the testbed.

본 논문에서는 보안장비의 성능평가 및 네트워크 내 센서들의 로그정보를 수집할 수 있는 테스트베드를 구축하였다. 이 테스트베드는 실제 인터넷과 유사한 테스트 환경을 제공하여 테스트베드 내에서 공격을 직접 생성하거나 공격 트래픽이 포함된 데이타셀을 이용하여 공격을 재현할 수 있도록 구성되었다. 본 테스트베드는 기존 테스트베드에 비해 비교적 적은 비용과 시간으로 구축이 가능하며, 공격 트래픽의 유형이나 테스트베드 사용목적에 따라 수정이나 확장이 용이하다. 따라서 많은 비용과 시간의 소모로 인해 쉽게 진행할 수 없었던 보안장비의 성능평가나, 공격 발생 시 네트워크에 존재하는 센서들의 로그 수집을 용이하게 할 수 있다. 본고에서는 테스트베드 구축 시 발생할 수 있는 다양한 문제점과 그 해결방안을 제시하였으며 제안한 테스트베드를 이용하여 DDoS 공격과 월을 재현하는 과정을 보였다.

Keywords

References

  1. Dean Turner et al., "Symantec Internet Security Threat Report Trends for July 05–December 05 Volume IX, March 2006," Symantec, March 2006.
  2. Richard P. Lippmann et al., "Evaluating Intrusion Detection Systems: the 1998 DARPA Off-Line Intrusion Detection Evaluation," Proceedings of the 2000 DARPA Information Survivability Conference and Exposition, vol.2, pp.12-26, January 2000.
  3. Cyber Defense Technology Experimental Research project, "DETER," available at http://www.isi.edu/ deter/.
  4. Gautam Singaraju, Lawrence Teo and Yuliang Zheng, "A Testbed for Quantitative Assessment of Intrusion Detection Systems using Fuzzy Logic," Second IEEE International Information Assurance Workshop (IWIA'04), pp.79-83, January 2004.
  5. Jelena Mirkovic et al., "Measuring Denial of Service," Quality of Protection Workshop co-located with CCS 2006, October 2006.
  6. Edgewall Software, "Tcpreplay," available at http:// tcpreplay.synfin.net/trac/
  7. Lawrence Berkeley National Laboratory, "Bro Intrusion Detection System," available at http://www. bro-ids.org
  8. Sourcefire, "Snort," available at http://www.snort.org
  9. ntop.org, "Ntop," available at http://www.ntop.org
  10. Juan Toledo and Riccardo Ghetta, "EtherApe," available at http://etherape.sourceforge.net
  11. The netfilter, "netfilter/iptables project," available at http://www.netfilter.org
  12. The UCI KDD Archive, "KDD Cup 1999 Data," available at http://www.ics.uci.edu/~kdd/databases/ kddcup99/kddcup99.html
  13. Lincoln Laboratory Massachusetts Institute of Technology, "MIT Lincoln Laboratory-DARPA Intrusion Detection Evaluation Data Sets," available at http://www.ll.mit.edu/IST/ideva l/data/data_index.html
  14. NLANR Measurement and Network Analysis Group, "NLANR PMA," available at http://pma.nlanr.net
  15. Cooperative Association for Internet Data Analysis, "Cooperative Association for Internet Data Analysis (CAIDA)," available at http://www.caida.org
  16. MAWI Working Group, "MAWI Working Group Traffic Archive," available at http://tracer.csl.sony.co.jp/mawi/
  17. HIT Testbed, "ARP_GENERATOR," available at http://hit.skku.edu/ARP_GENERATOR/
  18. HIT Testbed, "TSH2TCPDUMP," available at http://hit.skku.edu/TSH2TCPDUMP/
  19. HIT Testbed, "RESIZE_PACKET," available at http://hit.skku.edu/RESIZE_PACKET/
  20. Projects that have actively used isi.deterlab.net (Vers: 4.37 Build: 04/13/2006), "deterlab," available at http://www.isi.deterlab.net/projectlist.php3
  21. Cristina Abad et al, "Log Correlation for Intrusion Detection: A Proof of Concept," Computer Security Applications Conference, December 2003.