【摘要】：流量回放作為在網(wǎng)絡(luò)靶場(chǎng)中產(chǎn)生流量的方法之一,有著不可取代的特性。它可以保證回放出的流量有著和真實(shí)網(wǎng)絡(luò)中的流量一樣的特征,這是其他方法所不具備的。目前,已有的流量回放方法大多是在單位時(shí)間內(nèi)制造出大量的真實(shí)流量,從而丟失了回放流量在時(shí)間上的真實(shí)性。為了在目標(biāo)網(wǎng)絡(luò)中產(chǎn)生與真實(shí)流量盡可能相似的網(wǎng)絡(luò)流量,包括報(bào)文個(gè)數(shù)、內(nèi)容、交互順序和交互時(shí)間等,本文提出一種基于報(bào)文時(shí)序的多機(jī)互動(dòng)回放方法。具體工作如下:首先,本文對(duì)現(xiàn)有的流量采集方法進(jìn)行了優(yōu)化,采用了多點(diǎn)采集的思想。通過(guò)將真實(shí)網(wǎng)絡(luò)劃分為多個(gè)采集點(diǎn),在各個(gè)采集點(diǎn)同時(shí)采集流量。該方法彌補(bǔ)了現(xiàn)有方法遺漏局域網(wǎng)內(nèi)相互通信的流量的缺陷,提高了采集流量的完整性。此外,本文將零拷貝技術(shù)應(yīng)用到流量采集方式中,提高了網(wǎng)卡捕包效率,減少了因網(wǎng)卡性能導(dǎo)致的丟包問(wèn)題,從而保證回放出的流量與原始網(wǎng)絡(luò)更加相似。其次,本文設(shè)計(jì)了一種針對(duì)多點(diǎn)采集的數(shù)據(jù)處理方法,包括基于前綴樹(shù)的去重方法和基于上下文關(guān)系的修復(fù)方法。數(shù)據(jù)去重方法對(duì)前綴樹(shù)結(jié)構(gòu)進(jìn)行優(yōu)化使其更適用于數(shù)據(jù)流的去重操作,修復(fù)方法則是通過(guò)比較通信雙方發(fā)送報(bào)文的序列號(hào)和確認(rèn)號(hào)之間的關(guān)系進(jìn)行修復(fù)操作。本文分別對(duì)這兩種方法進(jìn)行實(shí)驗(yàn),實(shí)驗(yàn)結(jié)果證明該方法確實(shí)可以對(duì)流量進(jìn)行去重和修復(fù)操作。然后,本文對(duì)現(xiàn)有回放算法進(jìn)行優(yōu)化,提出一種基于報(bào)文時(shí)序的多機(jī)互動(dòng)回放算法。將該算法與現(xiàn)有算法進(jìn)行對(duì)比,實(shí)驗(yàn)結(jié)果表明,當(dāng)回放文件為18000個(gè)報(bào)文時(shí),該算法回放出的流量在報(bào)文發(fā)送時(shí)間誤差方面是現(xiàn)有算法的1/20,并且本文提出的算法的時(shí)間誤差不會(huì)因?yàn)榛胤艌?bào)文數(shù)目的增加而增加,現(xiàn)有算法則不具備此特性。此外,本文還在回放帶寬與網(wǎng)絡(luò)流速方面對(duì)該算法進(jìn)行了逼真性實(shí)驗(yàn),129秒的回放時(shí)間內(nèi)有4個(gè)數(shù)據(jù)點(diǎn)出現(xiàn)了誤差,準(zhǔn)確率為97%,說(shuō)明該算法產(chǎn)生的流量與原始流量非常相似。最后,基于上述的理論研究設(shè)計(jì)并實(shí)現(xiàn)了一個(gè)網(wǎng)絡(luò)流量回放的原型系統(tǒng)。通過(guò)對(duì)原型系統(tǒng)進(jìn)行測(cè)試發(fā)現(xiàn),該系統(tǒng)可以在占用少量機(jī)器資源的基礎(chǔ)上根據(jù)用戶配置進(jìn)行流量采集和數(shù)據(jù)處理,然后根據(jù)輸入的流量文件在目標(biāo)網(wǎng)絡(luò)中回放出與原始網(wǎng)絡(luò)極其相似的流量,產(chǎn)生與現(xiàn)實(shí)網(wǎng)絡(luò)相似的網(wǎng)絡(luò)環(huán)境,供實(shí)驗(yàn)人員進(jìn)行實(shí)驗(yàn)和研究。
[Abstract]:As one of the methods to generate traffic in the network shooting range, traffic playback has irreplaceable characteristics. It can ensure that the outgoing traffic has the same characteristics as the traffic in the real network, which is not available in other methods. At present, most of the existing traffic playback methods produce a large number of real traffic per unit time, thus losing the authenticity of the playback traffic in time. In order to generate the network traffic as similar to the real traffic in the target network as much as possible, including the number of messages, content, interaction sequence and interaction time, a multi-computer interactive playback method based on message timing is proposed in this paper. The specific work is as follows: firstly, the existing traffic acquisition methods are optimized, and the idea of multi-point acquisition is adopted. By dividing the real network into multiple acquisition points, the traffic is collected at each acquisition point at the same time. This method makes up for the defect that the existing method omits the traffic that communicates with each other in the local area network (LAN), and improves the integrity of the collected traffic. In addition, the zero copy technology is applied to the traffic acquisition mode, which improves the packet trapping efficiency of the network card and reduces the packet loss problem caused by the performance of the network card, so as to ensure that the outgoing traffic is more similar to the original network. Secondly, this paper designs a data processing method for multi-point acquisition, including the weight removal method based on prefix tree and the repair method based on context relation. The data de-weight method optimizes the prefix tree structure to make it more suitable for the data stream reload operation, and the repair method is to repair the relationship between the serial number and the confirmation number of the message sent by both sides of the communication by comparing the relationship between the serial number and the confirmation number of the message sent by the two sides of the communication. In this paper, the two methods are tested, and the experimental results show that the method can indeed remove the flow and repair the flow. Then, this paper optimizes the existing playback algorithms and proposes a multi-computer interactive playback algorithm based on message timing. Compared with the existing algorithms, the experimental results show that when the playback files are 18000 packets, the traffic returned by the algorithm is 1 鈮，

本文編號(hào)：2479084