| 摘要: | 本計畫為整合型計畫『網路虛擬化架構之研究與建置』下的一個子計畫。該整合型計畫打算以NetFPGA 硬體為基礎,在工作網路上設計、實作與建置一個能夠長期且持續性的分析、儲存、研究網路流量資料之系統。由於採用NetFPGA 在工作網路上建構一個虛擬網路的構想是一個新的嘗試,因此要確保依據NetFPGA 特性所開發的各個子計畫模組都能正確達到預定功能,除了需要各子計畫個別對所完成模組進行測試外,更需要有一套整合性測試的方法來對此整合計畫的構想進行驗證。所以本子計畫的目的便是從這個動機出發而從應用層的角度提供一套整合性測試方法。本子計畫特地選擇網路安全為進行測試的應用領域,理由有二:(1) 網路安全是一個非常重要的網路研究領域,若能對此領域的研究有所幫助,將有力地證明網路虛擬化架構在幫助網路相關研究者與網路設備開發廠商的重要價值;(2)網路攻擊封包的即時紀錄、偵測與防堵都需要超高速的運算能力才有辦法達成,而這正是一般軟體解決方案難以達到,而 NetFPGA 有可能達成的地方,本計畫將發展一套系統化的嚴謹方法與程序來驗證這樣的想法是否屬實。本子計畫的工作重點有下列數項:(1) 依據網路攻擊情境,建立各種 Client/ Server 節點於整合型計畫所建置的網路上以便進行實機測試;(2)研究有攻擊嫌疑封包的初步分類與最經濟有效記錄方法;(3)研究精確的攻擊偵測方法。我們不僅要降低前一步驟因判斷失誤所造成的誤報率(false positive),更打算聯合多個 NetFPGA 所提供的資訊來進行警訊關聯與融合,以發展更精確的攻擊偵測方法;(4)探討部署網路安全防護專用NetFPGA 的最佳部署策略。本計畫配合整合型計畫的進度,預定分三年執行。我們預期本計畫的貢獻有下列數端: 1.提供一個驗證整合型計畫構想可行且具有優越性的一個應用領域範例。 2.提供一套系統整合測試方法,讓其他子計畫開發的NetFPGA 模組能確定不僅子系統模組功能正確,當整合運作時,一樣能符合預定功能上與性能上的要求。 3.由於我們的安全測試是建立在整合型計畫所使用的工作網路上的真實流量,所以本計畫所紀錄的攻擊封包與分析的結果對網路安全界的研究將更具參考價值。 4.由於有NetFPGA 硬體模組以及其他子計畫所提供的封包擷取、網管、網路政策管理等方面的配合,我們所獲得的測試結果將不僅是單一安全技術的突破,而且可得到網路整體營運調整後對於網路安全改進的影響關係,由於實驗設計比一般的網路安全研究更為全面,所以對於網路營運商與設備製造商的參考價值預期也會更大。 5.透過本計畫,可以讓更多網路安全領域學生接觸到FPGA 硬體方面的知識與訓練,提升研究人才的培育效果。 ; This proposal is a sub-proposal of the major proposal `` On the Study and Deployment of Network Virtualization Architecture.’’ Based on NetFPGAs deployed in a productive network, the major proposal proposed a novel approach to design, implement, and establish a system which can analyze, record, and research the network traffic continuously for a long period of time. Due to the innovation of the major proposal, in order to make sure that the modules of all sub-proposals can fulfill the proposed functionality, not only these is supposed to have some test approaches for each module, but also there is supposed to have an integrated test approach for the final integrated system. Inspired by the above motivation, this proposal proposed an integrated network layer test approach to check the security functionality of the whole system. The security functionality was chosen because of the following two reasons. First, computer and network security is a critical research field. If the major proposal could prove its value in this field, it will provide a persuasive evidence that Network Virtualization is precious to researchers or network device manufacturers of related fields. Second, the high speed computation power of NetFPGA makes real time recording, detection, and blocking of attack traffic a possible operation, which could not be implemented using a software solution. This proposal proposed a prudent approach to verify the above claims. What follows are the major steps used in our proposal. (1) Based on each specific attack scenario, set up corresponding environment on both the client host and server host to create attack traffic. (2) Develop efficient recording solution to record suspect attack packets. (3) Invent accurate approach to detect attack packets to reduce the false positives created by the previous step. Besides, further improve the detection accuracy through coordinating the information collected from multiple NetFPGAs. (4) Investigate the deployment strategy most suitable for NetFPGAs. This proposal is a three-year one. We expect to achieve the following contributions: 1. Provide an application area to verify the superiority of the NetFPGA-based system. 2. Provide a test approach that can verify the correction of the final integrated NetFPGA-based system. 3. Provide highly referable data to researchers, because our tests are performed on production networks. 4. Provide highly referable data to ISPs and device manufactures, because by combining the work of NetFPGAs, network management, packet recording, and network policy management, we produce more thorough test results. 5. Cultivate professionals in both NetFPGA and security fields. ; 研究期間 9808 ~ 9907 |
