Manipulation of Network Traffic Traces for Security Evaluation

Testing network-based security tools such as intrusion detection and prevention systems (IDS/IPS) differs from testing ordinary network tools (e.g., routers and switches). Basically, in addition to the parameters (such as bandwidth utilization, routing information and packets timing) that are important for network tools, security tools are more sensitive to issues like traffic composition, contents, and session level parameters. Generating a realistic synthetic traffic that keeps all the characteristics of the real traffic has proved to be difficult. For this reason, security testers often use real traffic traces in their test or evaluation. However, the available traces are often limited in number or size. Therefore, it is necessary to merge and manipulate traces to create a test environment that would be representative of the operational environment, and to inject attacks into the traffic. A variety of tools for recording, replaying as well as forging packets can be obtained easily, but there exist very few tools for manipulating traces so as to modify the traffic composition from the networking viewpoint. Among them, surprisingly there is no tool for manipulating traces without destructing their security-relevant characteristics. In this paper, we present a brief survey for trace manipulation and packet forging tools. Then we determine the requirements of tools for manipulating traces and injecting attacks while keeping their original characteristics. Finally, we present the architecture, and the implementation of our tool intended to fill this lack in security testing tools.