KR102079028B1 - Apparatus and method for generating simulated network traffic traces - Google Patents

Abstract

The present invention is to automatically generate a network traffic trace for private protocol inference and learning, a protocol information input unit for receiving protocol information for a specific standard protocol, a memory including information related to at least one standard protocol, A controller which selects any one standard protocol based on the input protocol information, performs a modification on at least one of the header fields of the selected standard protocol, and inserts an arbitrary value according to the header field of the modified standard protocol And a network trace generator for generating simulated network traffic trace information.

Description

APPARATUS AND METHOD FOR GENERATING SIMULATED NETWORK TRAFFIC TRACES}

The present invention is for automatically generating network traffic traces for private protocol inference and learning.

Weapon systems for military purposes are often operated as a closed network system for various purposes such as security. Accordingly, military communication protocols also use special protocols rather than the general TCP / IP or IEEE protocols. In addition, most detailed specifications of these communication protocols are not disclosed, and they are operated in environments where physical access to weapon systems is almost impossible.

Such remote access to a closed network system is accessible using electromagnetic spectrum technology when using wireless communication. That is, the electromagnetic spectrum can be used to effectively access closed remote weapon systems using wireless communications. And studying these technologies is wireless network based cyber electronic warfare.

In wireless network-based cyber warfare, electromagnetic spectrum technology is used to remotely acquire wireless communication signals used for the operation of closed network systems and to extract digital information of private protocols. In addition, it analyzes the specification and state machine of the private protocol and finds the weakness of the protocol against the extracted digital bit stream, that is, the network traffic trace. At this time, in order to support the efficiency of private protocol specification inference, the characteristics of various protocols for military purposes may be identified, analyzed, and classified in advance, and the information may be utilized.

This protocol inference operation is not intended to use an entirely new protocol for which private protocols used for the operation of a closed network system are unknown, but for various purposes such as using existing protocols or maintaining security, improving performance, and adding functions. This is due to the fact that the existing protocol is used in various ways.

Currently, with the development of artificial neural network technology, the specification of such a private protocol can be performed through artificial neural networks. In order to improve the reasoning efficiency of the private protocol specification using the artificial neural network technology, more private protocols, that is, training data of the changed protocol, are required.

However, since it is impossible to obtain network traffic traces of private protocols that are modified in various ways in reality, it is possible to modify normal network traffic traces in the manner desired by the user, and to simulate the corresponding network traffic traces as much as the user wants. There is a need for a technology that is generated and utilized for inference and learning of private protocols.

The present invention is to solve the above problems, and relates to an apparatus and method for automatically generating a large number of network traffic traces of various modified protocols.

In addition, the present invention relates to an apparatus and method for automatically generating a plurality of learning data suitable for inferencing private protocol specification by changing, adding or deleting the value or attribute of at least one field from a preset standard protocol. will be.

An apparatus for generating a simulated network traffic trace according to an embodiment of the present invention for achieving the above object includes a protocol information input unit for receiving protocol information on a specific standard protocol, a memory including information related to at least one standard protocol, and A control unit which selects any one standard protocol based on the input protocol information, performs a modification on at least one of the header fields of the selected standard protocol, and inserts an arbitrary value according to the header field of the modified standard protocol And a network trace generator for generating simulated network traffic trace information.

In one embodiment, the control unit, the simple modification that each field structure of the selected standard protocol remains the same, the homogeneous modification that changes the structure of the protocol while maintaining the statistical properties of the selected standard protocol, the selected standard protocol Performing the transformation according to at least one variant attribute of the heterogeneous variant that changes the structure of the protocol without maintaining statistical attributes, the simple variant comprises changing a field value of each field, wherein the isomorphic variant, And at least one change of the position or length of each field, and the heteromorphic modification includes a change in which at least one of the respective fields is deleted or at least one new field is added.

According to an embodiment, the controller may be configured to automatically select at least one of the fields of the standard protocol and to automatically determine a modification attribute to be applied to the selected fields, or to modify the modification to be applied to the at least one field and each field by the user. The deformation may be performed according to any one of manual deformation methods for directly selecting an attribute, or both the automatic deformation method and the manual deformation method.

According to an embodiment, the modification according to the automatic modification is performed according to a deformation rate previously input from a user, and the controller counts the number of fields that are currently modified with respect to the total number of fields of the standard protocol header. The ratio of one value and the strain are compared to determine whether the strain is achieved, and the deformation is performed again according to the determination result.

In an embodiment, the controller may further receive a deformation degree indicating the strength and level of the deformation, and based on the input deformation degree, the ratio of the simple deformation or the deformed deformation is performed in the deformation. It is characterized by varying the ratio.

The control unit may further include an output unit configured to display a modification result according to the at least one protocol field modification, wherein the modification result corresponds to the total number of fields of the selected standard protocol header. And a ratio of the number of protocol fields for which the modification has been performed, header information of the standard protocol before modification, and header information of the standard protocol after modification.

In an embodiment, the memory may further include information on non-modifiable fields for each standard protocol, and the controller may be configured to perform the processing on the remaining fields except for the non-modifiable fields from the selected standard protocol. It is characterized by performing the deformation.

In accordance with another aspect of the present invention, there is provided a method for generating a simulated network traffic trace, the method comprising: receiving protocol information on a specific standard protocol and selecting one standard protocol according to the input protocol information Performing a modification on at least one of the header fields of the selected standard protocol, displaying a result of the performed modification, and inserting a random value according to the header field of the modified standard protocol to simulate the network. Generating traffic trace information.

In one embodiment, the performing of the modification may include: for at least one of the selected standard protocol header fields, a simple modification in which each field structure of the selected standard protocol remains the same; Performing the modification according to at least one modification property of the homogeneous modification that changes the structure of the protocol while maintaining the statistical properties of the selected standard protocol while maintaining the statistical property of the selected standard protocol. And changing a field value of each field, wherein the isomorphic deformation comprises changing at least one of a position or a length of each field, and wherein the at least one variant is deleted or at least one of the respective fields. It is characterized in that it includes a change to which a new field of is added.

In one embodiment, the performing of the transformation may include: an automatic modification scheme for arbitrarily selecting at least one of the fields of the standard protocol and a modification attribute to be applied to the selected fields, or at least one field by each user. And performing the deformation according to any one of manual deformation methods for directly selecting a deformation property to be applied to a field, or both the automatic deformation method and the manual deformation method.

According to an embodiment, the modification according to the automatic modification is performed according to a deformation rate previously input from a user, and the controller counts the number of fields that are currently modified with respect to the total number of fields of the standard protocol header. The ratio of one value and the strain are compared to determine whether the strain is achieved, and the deformation is performed again according to the determination result.

In one embodiment, the performing of the modification may include: checking information on non-modifiable fields for each standard protocol, and rest of fields other than the non-modifiable fields from the selected standard protocol. Characterized in that the step of performing the transformation.

The effects of the network traffic trace generation device and the generation method according to the present invention will be described.

According to at least one of the embodiments of the present invention, the present invention has an effect that the network traffic trace of various modified protocols can be automatically collected and secured in a sufficient amount necessary for inference and learning of the private protocol.

In addition, according to at least one of the embodiments of the present invention, by changing the at least one field on the basis of the standard protocol, the present invention can automatically generate mock learning data suitable for inference and learning of private protocols It works.

1 is a block diagram showing the configuration of a simulation network traffic trace generation device according to an embodiment of the present invention.
2 is a flowchart illustrating a process of generating a simulated network traffic trace according to an embodiment of the present invention.
3 is a flowchart illustrating a process of generating a network traffic trace according to an automatic modification or a manual modification during a network traffic trace generation process according to an embodiment of the present invention.
4 is a flowchart illustrating an example of an operation of performing a change using a random number when automatic modification is selected during a network traffic trace generation process according to an embodiment of the present invention.
5 to 7 are exemplary diagrams in which a change to at least one of the fields of the standard protocol is performed according to an embodiment of the present invention.
8 is an exemplary diagram illustrating an example of a protocol header before a change is performed and a protocol header after the change is performed according to an embodiment of the present invention.
9 is an exemplary view illustrating an interface of a network traffic trace generation device according to an embodiment of the present invention.

Technical terms used herein are merely used to describe particular embodiments, it should be noted that it is not intended to limit the present invention. Also, the singular forms used herein include the plural forms unless the context clearly indicates otherwise. In this specification, "is configured." Or "includes." Etc. should not be construed as including all of the various elements, or steps, described in the specification, some of which may not include some of the steps, or some of the additional elements or steps. It should be construed as more inclusive.

In addition, in describing the technology disclosed herein, if it is determined that the detailed description of the related known technology may obscure the gist of the technology disclosed herein, the detailed description thereof will be omitted.

In the present invention, 'protocol' is regarded as a set concept of a field. The standard protocol is a set of fields with an ordering concept, but the variant protocol does not have an ordering concept, and can be arranged into an expanded set concept with possible overlap of fields. Therefore, the similarity between the standard protocol and the transformation protocol approaches the concept of aggregation operation applied to the set and defines the type of transformation based on it.

When fields are not considered in protocol learning and inference, that is, when it is difficult to see them as a concept of sets of fields, each n-grams for each protocol identified according to n-grams analysis is regarded as a field and the set of n-grams as a protocol. .

On the other hand, statistical properties of the standard protocol can be divided into dynamic and static properties. In this case, the static property is a property unique to the protocol that is not affected by the protocol operating environment. The static property is related to the protocol syntax and may be defined by the number of header fields, the header field length, and the header field order. Dynamic properties, on the other hand, are properties of a protocol that are affected by the protocol operating environment and are related to the size of the network (topology, number of users, link capacity, etc.) that the protocol is used for, and include timestamp, address space, packet size, packet forwarding delay, and packet drop. Ratio and the like.

In the present invention, since network traffic traces are simulated, it is difficult to infer up to the protocol operating environment in the presence of only network traffic traces. Therefore, in the following description, the protocol modification is considered to be made in terms of maintaining or modifying the static attribute.

Meanwhile, in the present invention, modifications may be classified into modifications that maintain statistical properties of standard protocols and variations that change statistical properties. Therefore, a total of three variants can be considered. In other words, the transformation that maintains the statistical properties can be classified into a primary transformation (simple transformation) that transforms only the data defined by the user in the standard protocol and generates a network traffic trace in compliance with the standard protocol specification.

In addition, in the standard protocol, the variation of the position of the field and the change in the length of the field are maintained as a whole, but the variation that generates the network traffic trace of the variation protocol beyond the standard protocol can be classified as a secondary variation (homogenous variation).

On the other hand, third-order variants (deformation variants) where statistical properties are not maintained generate network traffic traces of variant protocols beyond standard protocol specifications, including the addition of additional fields or deletion of fields, in addition to primary and secondary variants. It can be divided into a variation.

In the following description, according to whether the standard protocol is a variation that maintains a statistical property or a variation that does not maintain a statistical property, the present invention can generate a simulated network traffic trace from the standard protocol by applying a modification in a total of three ways. An apparatus and method according to the embodiment will be described in detail with reference to the accompanying drawings.

First, FIG. 1 is a block diagram illustrating a configuration of a simulation network traffic trace generation device according to an embodiment of the present invention.

Referring to FIG. 1, the simulation network traffic trace generation device 100 according to an embodiment of the present invention includes a control unit 150, a protocol information input unit 110 connected to the control unit 150, a user input unit 120, The output unit 130 may include a memory 140 and a network trace generator 160. Meanwhile, the components shown in FIG. 1 are not necessary to implement the network traffic trace generation device 100 according to an embodiment of the present invention, and accordingly, the network traffic trace generation device 100 according to the embodiment of the present invention. Of course, may have fewer components, or may include more components.

First, the protocol information input unit 110 may receive information related to the target network traffic trace for performing the transformation. For example, the protocol information input unit 110 is a specific type that is directly input from a network traffic trace in the form of a packet capture (PCAP) file or a packet captured from a real network, that is, a network traffic trace generated according to a standard protocol specification. A name of a standard protocol and a related standard specification (header field information) may be input. To this end, the protocol information input unit 110 may include a configuration that can be connected to a network and a configuration that stores traffic traces captured from the network in a file form, that is, a PCAP file.

The user input unit 120 may receive information from a user and may include various input means. For example, the input means may include a mechanical input means such as a keyboard or a mouse or a touch input means, and may include a virtual key, a soft key or a visual key displayed on a touch screen through a software process. It can also provide a graphical interface for indicating the variant of the network traffic trace desired by the user. The deformation instruction content of the user may include the type of deformation selected by the user (simple deformation, homomorphic deformation, heteromorphic deformation), the deformation rate selected by the user (%), the deformation application method selected by the user (automatic deformation, manual deformation), and the user. It may include the modified network traffic trace generation amount (byte amount, quantity) and the like to select.

Meanwhile, the output unit 130 may provide a graphic interface for providing information on the modified network traffic trace. The modification result may include a structure of a standard network traffic trace and a simulation network traffic trace generated as a result of the modification, and may include information related to a field, a modification content, and a deformation rate of the modification.

The network trace generator 160 may generate a simulated network traffic trace by inputting a field value into each field of the protocol, that is, the header field, modified by the controller 150. For example, the network trace generator 160 may provide a simulated network traffic trace generated as a result of the modification of the currently selected standard protocol in the form of a PCAP file.

The memory 140 may store a plurality of programs for the operation of the controller 150. In addition, it can store various data input and output.

In addition, the memory 140 may include a database of information on various standard protocols and modification conditions. Here, the database may include information on fields which cannot be modified in order to perform normal functions of the protocol in each standard protocol. When the protocol is modified, the controller 150 may perform the transformation by referring to the information of the fields stored in the database. That is, when the automatic deformation is selected, the controller 150 may perform the deformation by excluding the fields stored in the database from the deformation target. On the other hand, if a manual variant is selected, the controller 150 displays the field to be distinguished from other fields that can be modified, and assigns a lock property in which the user's input is restricted to the corresponding field, thereby preventing the user from applying the variant. can do.

Meanwhile, the controller 150 may control each component connected to generate the simulated network traffic trace. For example, the controller 150 may control the protocol information input unit 110 to receive information about a PCAP file or a specific standard protocol (for example, header information). Based on the input protocol information, any one of standard protocols stored in the memory 140 may be selected. In addition, the protocol may be modified according to a modification scheme designated by the user input unit 120.

The controller 150 controls the network trace generator 160 to simulate input of contents, for example, a time stamp, a transmission address, a reception address, a port number, and a payload, in each field according to the modified protocol field. To generate simulated network traffic traces.

Herein, the controller 150 may apply various modifications to the selected standard protocol by referring to the modification condition database. The controller 150 may modify the protocol according to at least one of the simple deformation, the homomorphic deformation, and the heteromorphic deformation according to the designated modification. In this case, the simple modification may be a modification of modifying only data of a field defined by a user in the standard protocol while maintaining statistical properties of the standard protocol. In this case, network traffic traces conforming to the standard protocol specification may be generated.

And the homomorphic deformation may be to modify the position of the field, the length of the field, etc. in the standard protocol in addition to the simple modification. In this case, network traffic traces may be generated that maintain the statistical properties of the protocol as a whole but are outside of standard protocol specifications.

Meanwhile, in addition to the simple deformation and the homomorphic deformation, the heteromorphic deformation may be a deformation including additional field insertion or deletion of an existing field. In this case, as a variant in which the statistical properties of the protocol are not maintained, network traffic traces outside the standard protocol specification may be generated.

The controller 150 may calculate a strain rate according to the deformation applied to the currently selected standard protocol, and display the result through the output unit 130. In this case, the variation information including the information of the simulated network traffic trace generated in the PCAP form, the name and the modification rate of the standard protocol before the modification is applied, and the information of the field where the value or attribute is modified, added or deleted, is displayed. Can be.

2 is a flowchart illustrating a process of generating a simulated network traffic trace by an apparatus according to an embodiment of the present invention described with reference to FIG. 1 according to an embodiment of the present invention.

Referring to FIG. 2, the controller 150 of the network traffic trace generation device 100 according to an embodiment of the present invention may first receive protocol information from a user (S200). Here, the protocol information may be information of capturing a network traffic trace, that is, PCAP file or header information of a specific protocol. For example, the controller 150 may directly receive the protocol information from the user through the protocol information input unit 110 or may receive the protocol information from a separate device such as network equipment for capturing a network trace. .

The controller 150 may select a standard protocol corresponding to the input protocol information. For example, the controller 150 may analyze the received PCAP file or protocol header information and search for and select any one of the standard protocols that are previously stored in the memory 140 (S202). The field information according to the selected protocol can be checked.

Meanwhile, the input of the protocol information may be made according to a user's selection of any one of the standard protocols previously stored in the memory 140. In this case, the controller 150 may receive one of the standard protocols pre-stored in the memory 140 from the user, and check the field information of the selected protocol. Here, the field information may include structure information including field attributes such as the position and length of the field, and information on the value of each field, that is, content information.

The controller 150 may perform a modification on the selected protocol (S204). The deformation may be largely performed by content modification and structural modification according to the deformation target. First, content transformation is a variation of a field that is constantly changing in the standard protocol. It is a modification of a time stamp, a source address, a destination address, a port number, a payload, and the like. Can be. On the other hand, structural modification creates a modification protocol that is out of standard protocol specification, and may be performed by changing a field position, changing a field length, changing a keyword, adding a field (including a duplicate field, including a dummy field), and deleting a field.

Such content transformation and structural modification may be performed through three modification methods. First, as described above, the content modification targets the 'field value' that is constantly changed in the standard protocol, and even when the field value is modified, the standard protocol standard can be complied with. Therefore, the deformation of the content may be modified in the form of a simple deformation.

On the other hand, the change of the position of the field, the change of the length, the change of keywords, the addition of fields (including duplicate fields, including dummy fields) or the deletion of fields may be structural changes beyond the standard protocol. On the other hand, among these structural changes, in the case of structural modifications including fields of the currently selected standard protocol, for example, in the case of isomorphic modifications such as position or length variations of fields, although the structure of the fields is modified, it is the same as the currently selected standard protocol. Including fields may have the same statistical property.

However, in the case of heterogeneous modifications such as adding or deleting fields, not only the structure of the fields but also different fields from those of the currently selected standard protocol may have different statistical properties. Accordingly, in the case of the structural modification, the modification may be performed in the form of homomorphic deformation and heteromorphic deformation according to whether or not the statistical properties of the currently selected standard protocol are maintained. Accordingly, in step S204, the field deformation of the currently selected protocol may be performed in at least one of the simple deformation, homomorphic deformation, and heteromorphic deformation.

When the field modification of the protocol is made in step S204, the controller 150 may control the output unit 130 to display the modification result (S206). The deformation result may include information such as strain rate, and information such as a field on which deformation is performed may be displayed using graphic objects. For example, the controller 150 may output the transformation result by plotting before and after the transformation based on the field structure of the protocol so that the user may easily understand the modified contents.

Meanwhile, the controller 150 may check whether the user selects a further modification of the protocol while the modification result is output (S208). If the user selects an additional modification of the protocol, the process proceeds to step S204 again to further change the current modified protocol fields. In operation S206, the modified result including the additional change may be output. In this case, the strain may be updated according to the further strain, and the field structure after the schematized strain may also be updated according to the further strain.

On the other hand, if the user does not select a further modification in step S208, the controller 150 may generate a network traffic trace according to the modified protocol field (S210). For example, the controller 150 may generate a network traffic trace corresponding to the modified protocol by inserting an arbitrary value, for example, a byte value (or a bit value), into each field of the currently modified protocol. In addition, the controller 150 may repeat the process of inserting a bit value into each field of the modified protocol according to the quantity selected by the user to generate a simulated network traffic trace of the quantity designated by the user. The generated simulated network traffic traces may be processed and stored in the form of a preset file, for example, a PCAP file.

Meanwhile, the protocol modification of the step S204 may be performed in various ways. For example, the protocol modification of step S204 may be performed by the user inputting a specific strain in advance, and arbitrarily selecting deformation attributes (simple deformation, homomorphic deformation, and heteromorphic deformation) according to the input strain, and modifying the protocol according to the selected deformation attribute. It can be done in an automatic deformation manner. Alternatively, the method may be performed by a manual transformation method in which a user directly selects a field to change and an attribute of a transformation to apply.

3 is a flowchart illustrating a process of generating a network traffic trace according to such automatic or manual modification during a network traffic trace generation process according to an embodiment of the present invention.

Referring to FIG. 3, the apparatus 100 for generating network traffic traces according to an embodiment of the present invention may receive a selection of any one of an automatic modification and a manual modification (S300).

First, as described above, when the strain is input from the user, the automatic modification may refer to a method of randomly modifying the protocol field according to the input strain. Here, the deformation rate may be a ratio of the number of modified header fields to the total number of header fields of the selected standard protocol. The controller 150 may receive a strain from a user when the automatic deformation is selected in step S300 (S310).

On the other hand, when the strain is received in step S310, the controller 150 may determine at least one deformation property for the protocol fields. The protocol fields may be modified according to the determined modification attributes (S312). For example, the controller 150 may first select at least one of the fields of the standard protocol analyzed through header information of the selected standard protocol. The protocol modification may be performed by applying a randomly determined simple deformation, homomorphic deformation, or heteromorphic deformation to at least one selected field.

When the modification of the protocol is performed, the controller 150 may calculate a field strain of the modified protocol. In this case, the controller 150 may count the number of fields in which the deformation is performed, and the controller 150 may deform the deformation in the field when the value is changed (simple deformation) or when the position or length is changed (isometric deformation). Can be counted as On the other hand, in the case of a variant deformation in which a field is added or deleted, the controller 150 may consider that a deformation has occurred in any one field with respect to any one added field, and count it as a modified field. A field may be regarded as having undergone deformation in one field, and may be counted as a modified field. Therefore, the field strain may be calculated as shown in Equation 1 below.

Meanwhile, when the field strain is calculated in step S314, the controller 150 may compare the calculated field strain with the strain input in step S310 (S316). If the field strain calculated as a result of the comparison coincides with the input strain within a preset allowable range, it may be determined that the strain has been achieved. The preset allowable range may be an allowable error that may be determined to have the same value.

As a result of the determination in step S316, if it is determined that the calculated field strain does not match the strain input in step S310, the controller 150 proceeds to step S312 again to perform modification on the currently modified protocol field again. Can be. In addition, the calculated field strain and the previously input strain may be compared again by performing steps S314 and S316 again.

On the other hand, if it is determined in step S316 that the calculated field strain coincides with the strain input in step S310, the controller 150 determines that the deformation reaches the input strain, and then proceeds to step S206 of FIG. 2. You can proceed and display the deformation results.

On the other hand, if a manual variant is selected, the controller 150 may display a graphic interface through which the user can select a protocol field and a variant attribute (S320). For example, the graphical interface may include information illustrating information on a field structure of a currently selected standard protocol.

Accordingly, the controller 150 may determine a field to be changed according to the user's selection through the graphic interface and deformation properties (simple deformation, homomorphic deformation, and heteromorphic deformation) for the selected field (S322).

The controller 150 may perform a change on each of the fields whose deformation is determined according to the determined deformation property (S324). The controller 150 may calculate the field strain in the same manner as in Equation 1 (S326).

In addition, the controller 150 proceeds to step S206 of FIG. 2, and displays, through the output unit 130, a deformation result including the field strain calculated in step S326 as a strain according to the currently performed protocol modification.

On the other hand, when the automatic deformation is selected, the controller 150 may receive not only the strain but also the strain from the user in step S310. In this case, the degree of deformation may mean the deformation level or the deformation strength of the protocol field. That is, in case of simple deformation in which the protocol field structure is maintained, the degree of deformation may be low, and in the case of heteromorphic deformation in which a field is added or deleted, the degree of deformation may be high. That is, even when the deformation rate is the same, more deformation deformation may be performed than simple deformation when the deformation degree is high, and less deformation deformation may be performed than the simple deformation when the deformation degree is low. That is, of course, the user may specify the strength of the protocol change even when the strain is the same.

On the other hand, step S312 may be an operation process of generating at least one random number, determining a field to which a change is applied and a property to be changed according to the generated random number, and performing at least one protocol field change according to the determined property. . 4 is a flowchart illustrating an example of an operation of performing a change of a protocol field by using a random number as described above.

First, when step S312 of FIG. 3 is performed, the controller 150 may generate a first random number (S400). Here, the first random number may be for selecting a field to which a modification is applied among the currently selected protocol fields. That is, the controller 150 may determine at least one field corresponding to the first random number among fields of the currently selected standard protocol as fields to be changed (S402). If the field designated by the random number is a field whose modification is limited to perform a function of the protocol, the controller 150 may cancel the change to the corresponding field.

If a field to be changed is designated, the controller 150 may generate a second random number (S404). Here, the second random number may be to determine a modification attribute for each protocol field whose current change is determined. For example, in the case where the variation attribute for a protocol field is a field value change, a field position or length change, or a field addition or deletion, for example, the second random number is 1 to 5 for each protocol field for which a variation is determined. It can be generated including any one of the numbers up to. In this case, the numbers 1 to 5 are respectively changed as protocol field values (simple variants), protocol field position changes (homogenous variants), protocol length changes (homogenous variants), protocol field additions (variant variants, e.g., fields in which variants are determined). Add a new field before or after), or delete a protocol field (variant variant). On the other hand, these examples are merely for the purpose of illustrating the present invention is not limited to this, of course.

In the second random number, numbers other than 1 to 5 for determining the modification attribute of the protocol field may include information about the modified protocol field. That is, in the case of changing the field value, information about the field value of the field to be changed may be included. In the case of a location change, information about a location of a protocol field to be changed may be included. In case of a length change, information about a location of a protocol field to be changed may be included. In addition, in case of adding a protocol field, information about a length of a field to be added may be included.

If the modification property is determined for each field whose change is determined, the controller 150 may modify each protocol field according to the determined modification property (S408).

In the above description, the controller 150 generates the first random number and the second random number as an example, but the first random number and the second random number may be one random number. In this case, the controller 150 may detect modification target fields and modification attributes to be applied to each transformation target field from the one random number generated based on a preset rule. The change of the detected change target fields may be performed based on the deformation related information included in the one random number. In operation S314 of FIG. 3, the number of fields in which the change is performed may be counted, and the ratio between the counted value and the total number of headers of the standard protocol may be calculated as a field strain rate.

5 to 7 are exemplary diagrams in which a change to at least one of the fields of a standard protocol is performed according to an embodiment of the present invention.

First, FIG. 5 shows an example of an automatic modification to the network traffic trace 500 of the standard protocol with eight fields. The types of modifications made in FIG. 5 proceed in the order of changing the length of the data3 field (502), adding the data9 field (504), deleting the data5 field (506), and exchanging positions of the data1 and data6 fields (508). Typical strain is 75%.

6 shows an example of a manual modification to network traffic trace 600 of the standard protocol with eight fields. The type of modification made in FIG. 6 proceeds by selecting the length change of the data3 field selected by the user and inputting the change length desired by the user (602), followed by the user selection 604 for deletion of the data8 field. Deletion 606 may proceed in order. The final strain rate is 25%.

7 shows an example of a manual modification to network traffic trace 700 of the standard protocol with eight fields. The type of modification made in FIG. 7 proceeds 702 by repositioning selection of the data5 and data7 fields that the user selects, and then to user selection 704 for addition of the data9 field of length 5 after the data6 field. By the insertion of the data9 field (706). The final strain is 50%.

8 is an exemplary diagram illustrating an example of a protocol header 800 before the change is performed and a protocol header 802 after the change is performed according to an embodiment of the present invention.

Referring to FIG. 8, when the modification of the protocol is completed, the network traffic trace generation device 100 according to the embodiment of the present invention performs the modification with the protocol header 800 before the modification is performed. After the protocol header 802 is generated, the protocol header 802 can be output to the user so that the user can compare with each other. And from the comparison of the protocol headers 800 and 802 before and after the transformation is performed, the position change of the first and second fields of the L2 layer of the standard protocol field, the change of the length of the third field, and the fourth by the addition of a new field. You can see that three changes have been made to inserting fields. The deletion of the first field of the L3 layer may be indicated.

9 is an exemplary diagram illustrating an interface of a network traffic trace generation device according to an embodiment of the present invention.

Referring to FIG. 9, the graphic interface 900 displayed through the output unit 130 of the network traffic trace generating apparatus 100 according to an embodiment of the present invention may be formed to receive a strain rate from a user. It may be configured to receive a selection of automatic deformation or manual deformation. In addition, the graphic interface 900 may be configured to display the PCAP file information and the protocol header information so that a user can identify the PCAP file information and the protocol field structure for the input protocol to be modified.

Meanwhile, in the above description of the present invention, specific embodiments have been described, but various modifications may be made without departing from the scope of the present invention. In particular, in the above-described embodiment of the present invention, a manual deformation method in which the user determines the object of deformation and the content of the deformation, or an automatic simulation generator automatically determines the object and the content of the deformation according to the deformation rate specified by the user. For example, the deformation is performed by selecting any one of the deformation methods, but the present invention is not limited thereto. For example, the present invention may be selectively used by a user by mixing a manual deformation method and an automatic deformation method. In this case, as an example, when the user selects the additional deformation, the additional deformation may be performed by using a deformation method different from the initially selected deformation method. Alternatively, if the field strain does not coincide with the previously input strain after the automatic deformation scheme is selected, the user may check the information therein and further perform the deformation by the manual deformation scheme.

On the other hand, those skilled in the art to which the present invention belongs will be able to various modifications and variations without departing from the essential characteristics of the present invention. Therefore, the embodiments disclosed in the present invention are not intended to limit the technical idea of the present invention but to describe the present invention, and the scope of the technical idea of the present invention is not limited thereto. The protection scope of the present invention should be interpreted by the following claims, and all technical ideas within the equivalent scope should be interpreted as being included in the scope of the present invention.

100: network traffic trace generator
110: protocol information input unit 120: user input unit
130: output unit 140: memory
150: control unit 160: network trace generation unit

Claims (12)

A protocol information input unit for receiving protocol information on a specific standard protocol;
A memory containing information related to at least one standard protocol;
A controller which selects one standard protocol based on the input protocol information and performs modification on at least one of header fields of the selected standard protocol; And,
And a network trace generator for generating simulated network traffic trace information by inserting an arbitrary value according to the header field of the modified standard protocol.
The control unit,
Generate at least one random number, determine at least one field to apply a transformation and a property to be modified according to the generated random number, and perform a transformation on the at least one field according to the determined property Network traffic trace generator. The method of claim 1, wherein the control unit,
Simple modification in which each field structure of the selected standard protocol remains the same, homogeneous modification in which the structure of the protocol is changed while maintaining the statistical property of the selected standard protocol, and structure of the protocol without maintaining the statistical property of the selected standard protocol Performing the deformation according to the deformation property of at least one of the deformation variants changing
The simple variant,
A field value change of each field;
The homomorphic deformation is,
A change in at least one of the position or length of each field,
The release deformation,
And at least one of the fields is deleted, or at least one new field is added. The method of claim 1, wherein the control unit,
At least one of the fields of the standard protocol is randomly selected according to the at least one random number; The apparatus for generating a simulated network traffic trace according to any one of a manual modification scheme selected directly or the automatic modification scheme and the manual modification scheme are performed. The method of claim 3,
Deformation according to the automatic deformation method,
Is based on a strain input from the user.
The control unit,
The ratio of the value of counting the number of fields to which the current modification is made to the total number of fields of the standard protocol header is compared with the deformation rate to determine whether the deformation is achieved, and the deformation is performed again according to the determination result. A simulated network traffic trace generator. The method of claim 2, wherein the control unit,
Receiving a deformation degree representing the strength and level of the deformation,
The apparatus for generating a simulated network traffic trace according to the degree of deformation, wherein the rate at which the simple deformation is performed or the rate at which the heterogeneous deformation is performed is different. The method of claim 1, wherein the control unit,
The apparatus may further include an output unit for displaying a modification result according to the at least one protocol field modification.
The deformation result is,
And a ratio of the number of protocol fields in which the modification is performed to the total number of fields of the selected standard protocol header, header information of the standard protocol before modification, and header information of the standard protocol after modification. Network traffic trace generator. The method of claim 1, wherein the memory,
Further includes information about non-modifiable fields for each standard protocol,
The control unit,
And performing the transformation on the remaining fields except for the non-modifiable fields from the selected standard protocol. Receiving protocol information on a specific standard protocol;
Selecting one standard protocol according to the input protocol information;
Performing a modification to at least one of the header fields of the selected standard protocol;
Displaying a result of the deformation performed; And,
Generating random network traffic trace information by inserting an arbitrary value according to the header field of the modified standard protocol,
Performing modification on at least one of the protocol header fields,
Generating at least one random number, determining at least one field to be modified and a property to be modified according to the generated random number, and performing the at least one field deformation according to the determined property How to generate traffic traces. The method of claim 8, wherein performing the transformation,
For at least one of the selected standard protocol header fields, a simple variant in which each field structure of the selected standard protocol remains the same, a homogeneous variant in which the structure of the protocol is changed while maintaining the statistical properties of the selected standard protocol, the selected standard Performing the transformation according to at least one variant attribute of the variant variant that changes the structure of the protocol without maintaining the statistical attributes of the protocol,
The simple variant,
A field value change of each field;
The homomorphic deformation is,
A change in at least one of the position or length of each field,
The release deformation,
And a change in which at least one of the fields is deleted or at least one new field is added. The method of claim 8, wherein performing the transformation,
At least one of the fields of the standard protocol is arbitrarily selected according to the at least one random number, and an automatic modification scheme that arbitrarily determines a deformation attribute to be applied to the selected fields or a user directly selects at least one field and a modification attribute to be applied to each field. And performing the transformation according to any one of the manual modification scheme selected, or both the automatic modification scheme and the manual modification scheme. The method of claim 10,
Deformation according to the automatic deformation method,
Is based on a strain input from the user.
Performing the deformation,
Comparing the ratio of the total number of fields in the standard protocol header with the value of the number of fields that have been modified and determining the deformation rate by comparing the deformation rate, and performing the modification again according to the determination result Simulated network traffic trace generation method further comprising. The method of claim 8, wherein performing the transformation,
Identifying information about fields that are not modifiable for each standard protocol; And,
And performing the transformation on the remaining fields except for the non-modifiable fields from the selected standard protocol.

Images