【摘要】：流量回放作為在網(wǎng)絡(luò)靶場中產(chǎn)生流量的方法之一,有著不可取代的特性。它可以保證回放出的流量有著和真實網(wǎng)絡(luò)中的流量一樣的特征,這是其他方法所不具備的。目前,已有的流量回放方法大多是在單位時間內(nèi)制造出大量的真實流量,從而丟失了回放流量在時間上的真實性。為了在目標網(wǎng)絡(luò)中產(chǎn)生與真實流量盡可能相似的網(wǎng)絡(luò)流量,包括報文個數(shù)、內(nèi)容、交互順序和交互時間等,本文提出一種基于報文時序的多機互動回放方法。具體工作如下:首先,本文對現(xiàn)有的流量采集方法進行了優(yōu)化,采用了多點采集的思想。通過將真實網(wǎng)絡(luò)劃分為多個采集點,在各個采集點同時采集流量。該方法彌補了現(xiàn)有方法遺漏局域網(wǎng)內(nèi)相互通信的流量的缺陷,提高了采集流量的完整性。此外,本文將零拷貝技術(shù)應(yīng)用到流量采集方式中,提高了網(wǎng)卡捕包效率,減少了因網(wǎng)卡性能導致的丟包問題,從而保證回放出的流量與原始網(wǎng)絡(luò)更加相似。其次,本文設(shè)計了一種針對多點采集的數(shù)據(jù)處理方法,包括基于前綴樹的去重方法和基于上下文關(guān)系的修復(fù)方法。數(shù)據(jù)去重方法對前綴樹結(jié)構(gòu)進行優(yōu)化使其更適用于數(shù)據(jù)流的去重操作,修復(fù)方法則是通過比較通信雙方發(fā)送報文的序列號和確認號之間的關(guān)系進行修復(fù)操作。本文分別對這兩種方法進行實驗,實驗結(jié)果證明該方法確實可以對流量進行去重和修復(fù)操作。然后,本文對現(xiàn)有回放算法進行優(yōu)化,提出一種基于報文時序的多機互動回放算法。將該算法與現(xiàn)有算法進行對比,實驗結(jié)果表明,當回放文件為18000個報文時,該算法回放出的流量在報文發(fā)送時間誤差方面是現(xiàn)有算法的1/20,并且本文提出的算法的時間誤差不會因為回放報文數(shù)目的增加而增加,現(xiàn)有算法則不具備此特性。此外,本文還在回放帶寬與網(wǎng)絡(luò)流速方面對該算法進行了逼真性實驗,129秒的回放時間內(nèi)有4個數(shù)據(jù)點出現(xiàn)了誤差,準確率為97%,說明該算法產(chǎn)生的流量與原始流量非常相似。最后,基于上述的理論研究設(shè)計并實現(xiàn)了一個網(wǎng)絡(luò)流量回放的原型系統(tǒng)。通過對原型系統(tǒng)進行測試發(fā)現(xiàn),該系統(tǒng)可以在占用少量機器資源的基礎(chǔ)上根據(jù)用戶配置進行流量采集和數(shù)據(jù)處理,然后根據(jù)輸入的流量文件在目標網(wǎng)絡(luò)中回放出與原始網(wǎng)絡(luò)極其相似的流量,產(chǎn)生與現(xiàn)實網(wǎng)絡(luò)相似的網(wǎng)絡(luò)環(huán)境,供實驗人員進行實驗和研究。
[Abstract]:As one of the methods to generate traffic in the network shooting range, traffic playback has irreplaceable characteristics. It can ensure that the outgoing traffic has the same characteristics as the traffic in the real network, which is not available in other methods. At present, most of the existing traffic playback methods produce a large number of real traffic per unit time, thus losing the authenticity of the playback traffic in time. In order to generate the network traffic as similar to the real traffic in the target network as much as possible, including the number of messages, content, interaction sequence and interaction time, a multi-computer interactive playback method based on message timing is proposed in this paper. The specific work is as follows: firstly, the existing traffic acquisition methods are optimized, and the idea of multi-point acquisition is adopted. By dividing the real network into multiple acquisition points, the traffic is collected at each acquisition point at the same time. This method makes up for the defect that the existing method omits the traffic that communicates with each other in the local area network (LAN), and improves the integrity of the collected traffic. In addition, the zero copy technology is applied to the traffic acquisition mode, which improves the packet trapping efficiency of the network card and reduces the packet loss problem caused by the performance of the network card, so as to ensure that the outgoing traffic is more similar to the original network. Secondly, this paper designs a data processing method for multi-point acquisition, including the weight removal method based on prefix tree and the repair method based on context relation. The data de-weight method optimizes the prefix tree structure to make it more suitable for the data stream reload operation, and the repair method is to repair the relationship between the serial number and the confirmation number of the message sent by both sides of the communication by comparing the relationship between the serial number and the confirmation number of the message sent by the two sides of the communication. In this paper, the two methods are tested, and the experimental results show that the method can indeed remove the flow and repair the flow. Then, this paper optimizes the existing playback algorithms and proposes a multi-computer interactive playback algorithm based on message timing. Compared with the existing algorithms, the experimental results show that when the playback files are 18000 packets, the traffic returned by the algorithm is 1 鈮，

本文編號：2479084