Generating background network traffic for network security testbeds

Qureshi, Hassan
Journal Title
Journal ISSN
Volume Title
Research Projects
Organizational Units
Journal Issue

With the advancement of science and technology, there has been a rapid growth in computer network attacks. Most of them are in the form of sophisticated and smart attacks, which are hard to trace. Although researchers have been working on this issue - attack detection, prevention and mitigation - the existing network security evaluation techniques lack effective experimental infrastructure and rigorous scientific methodologies for developing and testing the cyber security technologies. To make progress in this area, we need to address one of the major shortcomings in evaluating network security mechanisms -- lack of relevant, representative network data. The research community is in need of tools that are able to generate scalable, tunable, and representative network traffic. Such tools are vital in a tested environment, where they can be used to evaluate the behavior and performance of security related tools. In this context, we present the Markov Traffic Generator (MTG), which is able to generate representative network traffic. The MTG follows a unique approach of generating background traffic at the session level, unlike the previous approaches operated on the packet level. The tool is application dependent and is able to generate various types of TCP traffic. The resulting tool is useful for researchers and developers in building, testing and evaluating cyber security related tools. In this work, we develop the classifications of background traffic generation models based on the past work and present a new toolkit, the Markov Traffic Generator (MTG). As opposed to past work, MTG uses a first order hierarchical Markov agent to generate background user behavior in network testbed. The Markov agents can be used to generate behavior that mimics observed traffic in real networks. The thesis concludes by showing that MTG can realistically replicate observed network behavior.