Please use this identifier to cite or link to this item:
標題: 基於NetFlow之網路異常偵測系統
A NetFlow Based Internet Anomaly Detection System
作者: 劉俊華
Liu, Jun-Hwa
關鍵字: NetFlow;NetFlow;anomaly detection;threshold;異常偵測;臨界值
出版社: 電機工程學系所
引用: 1. V. Mahoney, and K. Chan, “Learning Models of Network Traffic for Detecting Novel Attacks,” Florida Institute of Technology Technical Report CS-2002-08 2. N. Weaver, V. Paxson, S. Staniford, and R. Cunningham, “A Taxonomy of Computer Worms,” In ACM CCS Workshop on Rapid Mal-code (WORM’03), Oct. 27, 2003. 3. C. C. Zou, W. Gong, and D. Towsley, “Code Red Worm Propagation Modeling and Analysis,” in 9th ACM Conference on Computer and Communication Security, Nov 2002. 4. A. Machie, J. Roculan, R. Russell, and M. V. Velzen,“Nimda Worm Analysis,” Tech. Rep., Incident Analysis, ecurityFocus, Sept. 2001. 5. S. Singh, C. Estan, G. Varghese, and S. Savage, “Automated Worm Fingerprinting,” Department of Computer Science and Engineering University of California, San Diego 6. C.-L. Wu, “A Worm Immune Serve Expert system for denial of service attacks,” Department of Computer Science National Chiao Tung University Hsinchu, Taiwan, 300, Republic of China 7. P. Barford, J. Kline, D. Plonka, and A. Ron, “A Signal Analysis of Network Traffic Anomalies,” Computer Sciences Department at the University of Wisconsin, Madison. 8. M. Thottan, and C. Ji, “Adaptive Thresholding for Proactive Network Problem Detection,” Department of Electrical, Computer, and Systems Engineering Rensselaer Polytechnic Institute, Troy, NY 12180 9. K. Wang, S.J. Stolfo, “Anomalous Payload-based Network Intrusion Detection,” Computer Science Department, Columbia University 500 West 120th Street, New York, NY, 10027 10. P. Barford, and D. Plonka, “Characteristics of Network Traffic Flow Anomalies,” Computer Science Department at the University of Wisconsin, Madison. 11. K.-C. Lan, A. Hussain, D. Dutta, “Effect of Malicious Traffic on the Network,” USC/ISI 4676 Admiralty Way, Marina Del Rey, CA 90292 12. V. Mahoney, “Network Traffic Anomaly Detection Based on Packet Bytes,” Florida Institute of Technology, Melbourne, Florida 13. “NetFlow與網管之關係與應用” 14. 王士豪, “基於網路訊務動態基線分析之網路蠕蟲偵測機制,” 國立暨南國際大學資訊管理研究所 15. 黃文穗, 林守仁, “利用NetFlow建置Code Red Worm偵測系統,” 2001 Taiwan Area Network Conference, Oct.24~26, CCU, Chiayi, Taiwan.

本論文以NetFlow為工具提出一套有效的網路異常偵測機制,此機制不但可以偵測新的網路蠕蟲或攻擊行為,而且也可以利用已知攻擊行為特徵作比對,過濾出網路蠕蟲及已知攻擊行為。當網路發生異常時,受感染或遭受入侵之主機會爆發大量的網路流量及產生對外攻擊連線的特徵,利用此特徵與正常網路做比較找出異常,因此可以先找出網路流量或連線異常之主機,即時加以阻擋,避免讓更大量的網路異常行為持續發生。我們在一穩定的網路環境中觀察平時網路狀況,找出正常的網路流量及連線數,做為異常偵測的基準並觀察出正常的行為模式,定出基準值及臨界值,然而網路流量及連線數會因為時間不同,即有不同的呈現,所以本異常偵測機制的基準值及臨界值會隨著時間不同而改變,以動態方式呈現。當網路中網路流量或Session 數目超出動態臨界值時,這可能代表著新的蠕蟲、阻斷服務攻擊、網路掃瞄等的異常發生,利用此異常所造成網路流量或Session 數目增加的偏移值,找出異常發生的原因及IP 位址,另外,我們建立一已知攻擊行為特徵比對系統,利用網路攻擊行為會存在著某些可供辨識的特徵,例如針對某個特定埠或利用某些特定網路的 IP 位址,過濾出網路蠕蟲及已知攻擊行為。



In this thesis, an effective NetFlow based network anomaly detection system was developed. We propose an mechanism not only detect internet worms and novel attacks, but also can filter out some known signature of the internet worms and attacks. If the host computer is infected or invaded by attackers then the host computer will produce a large number of outside connections. Besides, we can detect some unusual network traffics and the connections from NetFlow. We can stop these connections immediately to avoid a large number of unusual behaviors of network take place continuously. A baseline is made by observing the state of the network at ordinary times in a steady network environment and the normal network traffic connections. Different time will get different baseline appearance. When the network traffic or session numbers go beyond the dynamic threshold, it may represent a new inter worm or attack happened. In addition, we set up patterns from known attacks to filter out the known signature of the internet worms and attacks.

Keywords: NetFlow, anomaly detection, threshold
其他識別: U0005-2208200723184500
Appears in Collections:電機工程學系所

Show full item record

Google ScholarTM


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.