한국통신학회논문지 (The Journal of Korean Institute of Communications and Information Sciences)

  • 제40권4호
  • /
  • Pages.666-677
  • /
  • 2015
  • /
  • 1226-4717(pISSN)
  • /
  • 2287-3880(eISSN)
한국통신학회 (The Korean Institute of Commucations and Information Sciences)
권호 표지
DOI QR코드

DOI QR Code

네트워크 트래픽 분석을 위한 Snort Content 규칙 자동 생성

Automatic Generation of Snort Content Rule for Network Traffic Analysis

  • Shim, Kyu-Seok (Department of Computer and Information Science, Korea University) ;
  • Yoon, Sung-Ho (Department of Computer and Information Science, Korea University) ;
  • Lee, Su-Kang (Department of Computer and Information Science, Korea University) ;
  • Kim, Sung-Min (Department of Computer and Information Science, Korea University) ;
  • Jung, Woo-Suk (Department of Computer and Information Science, Korea University) ;
  • Kim, Myung-Sup (Department of Computer and Information Science, Korea University)
  • 투고 : 2014.12.04
  • 심사 : 2015.04.06
  • 발행 : 2015.04.30
PDF 다운로드
⟨ 이전 논문 다음 논문 ⟩

초록

효과적인 네트워크 관리를 위해 응용 트래픽 분석의 중요성이 강조되고 있다. Snort는 트래픽 탐지를 위해 사용되는 보편적인 엔진으로써 기 정의된 규칙을 기반으로 트래픽을 차단하거나 로그를 기록한다. 하지만 Snort 규칙을 생성하기 위해서는 탐지 대상 트래픽을 전수 조사해야하기 때문에 많은 한계점이 존재할 뿐만 아니라 생성된 규칙의 정확성을 보장하기 어렵다. 본 논문에서는 순차 패턴 알고리즘을 활용하여 입력된 트래픽에서 최소 지지도를 만족하는 문자열을 찾는 방법을 제안한다. 또한, 추출된 문자열을 사용한 규칙을 입력 트래픽에 적용하여 트래픽에서 해당 문자열이 존재하는 위치 정보 및 헤더 정보를 추출한다. 이렇게 추출된 문자열과 위치정보, 그리고 헤더 정보를 조합하여 Snort 규칙을 자동 생성하는 방법을 제안한다. 생성된 규칙을 이용하여 다시 트래픽 분석을 실시했을 때 대부분의 응용이 97%이상 탐지되는 것을 확인하였다.

The importance of application traffic analysis for efficient network management has been emphasized continuously. Snort is a popular traffic analysis system which detects traffic matched to pre-defined signatures and perform various actions based on the rules. However, it is very difficult to get highly accurate signatures to meet various analysis purpose because it is very tedious and time-consuming work to search the entire traffic data manually or semi-automatically. In this paper, we propose a novel method to generate signatures in a fully automatic manner in the form of sort rule from raw packet data captured from network link or end-host. We use a sequence pattern algorithm to generate common substring satisfying the minimum support from traffic flow data. Also, we extract the location and header information of the signature which are the components of snort content rule. When we analyzed the proposed method to several application traffic data, the generated rule could detect more than 97 percentage of the traffic data.

키워드

참고문헌

  1. Y. Wang, Y. Xiang, W. L. Zhou, and S. Z. Yu, "Generating regular expression signatures for network traffic classification in trusted network management," J. Netw. Comput. Appl., vol. 35, pp. 992-1000, May 2012. https://doi.org/10.1016/j.jnca.2011.03.017
  2. B. Park, Y. Won, J. Chung, M. S. Kim, and J. W. K. Hong, "Fine-grained traffic classification based on functional separation," Int. J. Netw. Management, vol. 23, pp. 350- 381, Sept. 2013. https://doi.org/10.1002/nem.1837
  3. snort. Available: https://www.snort.org/
  4. H.-A. Kim and B. Karp, "Autograph: Toward automated, distributed worm signature detection," in USENIX Security Symp., vol. 286, 2004.
  5. J. Newsome, B. Karp, and D. Song, "Polygraph: Automatically generating signatures for polymorphic worms," IEEE Symp. Security and Privacy, pp. 226-241, 2005.
  6. B.-C. Park, Y. J. Won, M.-S. Kim, and J. W. Hong, "Towards automated application signature generation for traffic identification," IEEE Network Operations and Management Symp. (NOMS 2008), pp. 160-167, 2008.
  7. M. Ye, K. Xu, J. Wu, and H. Po, "Autosigautomatically generating signatures for applications," IEEE Int. Conf. Computer and Inf. Technol.(CIT'09), pp. 104-109, 2009.
  8. X. Feng, X. Huang, X. Tian, and Y. Ma, "Automatic traffic signature extraction based on smith-waterman algorithm for traffic classification," IEEE Int. Conf. Broadband Netw. Multimedia Technol. (IC-BNMT), pp. 154-158, 2010.
  9. C. Mu, X.-h. Huang, X. Tian, Y. Ma, and J.-l. Qi, "Automatic traffic signature extraction based on fixed bit offset algorithm for traffic classification," The J. China Universities of Posts and Telecommun., vol. 18, pp. 79-85, 2011. https://doi.org/10.1016/S1005-8885(10)60156-2
  10. R. Agrawal and R. Srikant, "Fast algorithms for mining association rules," in Proc. 20th Int. Conf. VLDB, pp. 487-499, 1994.
  11. R. Agrawal and R. Srikant, "Mining sequential patterns," in Proc. Eleventh Int. Conf. Data Eng., pp. 3-14, 1995.
  12. C. S. Park, J. S. Park, and M. S. Kim, "Automatic payload signature generation system," J. KICS, vol. 38B, no. 08, pp. 615-622, Aug. 2013.
  13. S. H. Yoon, J. S. Park, H. M. An, and M. S. Kim, "Traffic behavior signature extraction using sequence pattern algorithm," in Proc. KICS Int. Conf. Commun. (KICS ICC 2014), pp. 996-997, Jeju Island, Korea, Jun. 2014.
  14. https://www.wireshark.org
  15. https://www.tcpdump.org
  16. R. Srikant, Q. Vu, and R. Agrawal, "Mining association rules with item constraints," KDD, vol. 97, pp. 67-73, 1997.
  17. J. H. Park, J. S. Park, and M. S. Kim, "Processing speed improvement of HTTP traffic classification based on hierarchical structure of signature" J. KICS, vol. 39B, no. 04, pp. 191-199, Apr. 2014.

피인용 문헌

  1. 고속 패킷 분류를 위한 2차원 비트맵 트라이 vol.40, pp.9, 2015, https://doi.org/10.7840/kics.2015.40.9.1754
  2. 네트워크 침입 탐지 시스템에서 다중 엔트리 동시 비교기를 이용한 고속패턴 매칭기의 설계 및 구현 vol.40, pp.11, 2015, https://doi.org/10.7840/kics.2015.40.11.2169
  3. K-평균 클러스터링을 이용한 네트워크 유해트래픽 탐지 vol.41, pp.2, 2016, https://doi.org/10.7840/kics.2016.41.2.277
  4. 최신 네트워크 응용 분류를 위한 자동화 페이로드 시그니쳐 업데이트 시스템 vol.42, pp.1, 2015, https://doi.org/10.7840/kics.2017.42.1.98