進階搜尋


   電子論文尚未授權公開,紙本請查館藏目錄
(※如查詢不到或館藏狀況顯示「閉架不公開」,表示該本論文不在書庫,無法取用。)
系統識別號 U0026-2208201617551400
論文名稱(中文) 設計與實作基於NetFlow之內部網路威脅偵測系統
論文名稱(英文) Design and Implementation of Insider Threats Detection System Based on NetFlow
校院名稱 成功大學
系所名稱(中) 電腦與通信工程研究所
系所名稱(英) Institute of Computer & Communication
學年度 104
學期 2
出版年 105
研究生(中文) 涂嘉成
研究生(英文) Chia-Cheng Tu
學號 q36034316
學位類別 碩士
語文別 英文
論文頁數 57頁
口試委員 指導教授-楊竹星
口試委員-葉俊雄
口試委員-謝錫堃
口試委員-林輝堂
口試委員-黃仁竑
中文關鍵字 網路安全  NetFlow  威脅偵測  異常行為 
英文關鍵字 Network Security  NetFlow  Threat Detection  Abnormal Behavior 
學科別分類
中文摘要 網路科技進步如此迅速,頻寬也日漸增大,愈來愈多的服務承載在其上,儘管是學術網路,用途也不在只限於研究領域,還包含了娛樂、教育等其他用途,也因此如何管理如此龐大的網路就是一門值得研究的學問。為避免惡意使用網路的情形發生,侵犯他人權益,用一方法找出所管控網路內部有問題的主機變的迫切需要。雖然入侵偵測系統或是防火牆之類的架構已是常見的防禦方式,但人性終究難防,常利用社交工程的APT攻擊多半隱藏在正常的流量當中,而防火牆當然不能直接阻擋正常的流量通行,諸如網頁服務或是電子郵件……等等,所以我們多半沒有察覺入侵的發生,內部主機就已經被入侵且植入維持其權限的程序。這種情況在雲端環境如此興盛的現今,也是一個必須面臨的重大挑戰。
雖然我們沒在其被入侵時察覺,但我們可在其被入侵後出現異常流量之時,判定其是否為有問題之主機。透過觀察流量的方式,無須在每一台主機安裝額外的監控工具,只須透過路由器或是交換器,甚至透過開放原始碼的套件,將網路流量以NetFlow格式輸出,而後再分析資料即可。為因應現今的高速網路環境,NetFlow好處在於捨棄了封包裡的內容,只留下表頭資訊,並整合封包讓資料以更大的單位-網路流的形式存在,此易於觀察網路連線狀況,並減少處理資料時的系統負擔,以加速作出即時威脅的判斷。
本研究透過定義多個網路行為特徵,最後整合出內網中可能有問題的主機以及其風險程度,不僅提供使用者檢查其主機行為,亦讓管理者能即時監控目前內網中的主機狀況,以健全網路環境。
英文摘要 Internet technology grows faster with higher and higher bandwidth. More and more services are running in the Academic Network including entertainment and education not just for research. How to manage such a huge network becomes a big issue for administrators. To prevent malicious utilization of network resource, it is important to design a system to find out the hosts in the net with abnormality. Though Intrusion Detection System and Firewall are both famous defensive ways to protect the network, there is still a great chance for hacker to invade the hosts. For example, APT usually uses social engineering focusing on humanity to invade, and the traffic of it seems like normal one. It is hard to defend it because if it is blocked, normal services such as web service and mail service are blocked, too. This situation also happens in virtual environment, and we should face it and resolve it.
We may not be aware of the invasion, but we can discover the abnormal traffic made from these invaded hosts. It is no need to install agent on each host by observing the traffic. We just have to configure router or switch to export the flow data and then analyze it. It is also convenient to use open-source tools to make the traffic export in NetFlow format. The advantage of NetFlow is discarding the packet payload and just leaving the information of header. As a result, we can observe the traffic by flow not by packet reducing loading of system and promoting the efficiency.
The system extracts the abnormal behavior patterns from traffic and then aggregates them to generate the IP address list with suspicious hosts. It is not only provided for users to check their hosts but also convenient for administrator to manage the net.
論文目次 摘要 I
Abstract II
誌謝 III
Table of Contents IV
List of Tables VI
List of Figures VII
1. Introduction 1
1.1 Motivation 1
1.2 Problem Statement 1
1.3 Approaches 2
1.4 Thesis Architecture 2
2. Related Works 4
2.1 NetFlow 4
2.1.1 Introduction 4
2.1.2 Research on Detection of Anomalous Behavior by NetFlow 6
2.2 IP Address Profiling 9
2.2.1 Brute Force Attack 10
2.2.2 Vertical Scan 11
2.2.3 Horizontal Scan 13
2.2.4 Abnormal DNS Traffic 13
2.2.5 Periodical Connection 15
2.2.6 Constant Connection 17
3. System Architecture 19
3.1 Overall 19
3.2 IP Address Profiling 21
3.2.1 Brute Force Attack 22
3.2.2 Vertical Scan 24
3.2.3 Horizontal Scan 24
3.2.4 Abnormal DNS Traffic 26
3.2.5 Periodical Connection 28
3.2.6 Constant Connection 30
3.3 Correlating and Ranking 31
4. Experiment and Verification 33
4.1 Experiment 1 - Comparison with Vulnerability Scan 33
4.1.1 OpenVAS 33
4.1.2 Results and Discussion 34
4.2 Experiment 2 - Tracking Connection 35
4.2.1 Results 37
4.2.2 Discussion 38
4.3 Experiment 3 - Test of Operability and Portability 38
4.4 Case Study 40
4.4.1 Case 1 41
4.4.2 Case 2 44
5. Conclusion and Future Work 50
Reference 51
參考文獻 Reference
[1] Sam Musa, "Advanced Persistent Threat - APT", March 2014
[2] Benoit Claise, Ganesh Sadasivan, Vamsi Valluri, Martin Djernaes. "Cisco Systems NetFlow Services Export Version 9", RFC 3954, Oct 2004.
[3] Cisco (May 29, 2012), "Introduction to Cisco IOS NetFlow - A Technical Overview"
[4] Bingdong Li, Jeff Springer, George Bebis, and Mehmet Hadi Gunes. "Review: A survey of network flow applications", Journal of Network and Computer Applications, Volume 36, Issue 2, pp. 567-581, 2013.
[5] Anna Sperotto, Gregor Schaffrath, Ramin Sadre, Cristian Morariu, Aiko Pras and Burkhard Stiller, "An Overview of IP Flow-Based Intrusion Detection", IEEE Communications Surveys & Tutorials, Volume 12, Issue 3, pp. 343-356, 2010.
[6] Farraposo, S., Owezarski, P., Monteiro, E., "Contribution of anomalies detection and analysis on traffic engineering", International Conference on Computer Communications (INFOCOM), 2006.
[7] Huy Anh Nguyen, Tam Van Nguyen, Dong Il Kim, Deokjai Choi, "Network Traffic Anomalies Detection and Identification with Flow Monitoring", International Conference on Wireless and Optical Communications Networks (WOCN), 2008.
[8] Anukool Lakhina, Mark Crovella, Christophe Diot, "Mining Anomalies Using Traffic Feature Distributions", SIGCOMM Computer Communication Review, Volume 35, Issue 4, pp. 217–228, 2005
[9] Philipp Winter, Eckehard Hermann, Markus Zeilinger, "Inductive Intrusion Detection in Flow-Based Network Data using One-Class Support Vector Machines", New Technologies, Mobility and Security (NTMS), 2011.
[10] Xiao-Wu Liu, Hui-Qiang Wang, Ying Liang, Ji-Bao Lai, "Heterogeneous Multi-Sensor Data Fusion With Multi-Class Support Vector Machines: Creating Network Security Situation Awareness", International Conference on Machine Learning and Cybernetics (ICMLC), 2007.
[11] Jan Vykopal, Tomas Plesnik, Pavel Minarik, "Network-Based Dictionary Attack Detection", International Conference on Future Networks (ICFN), 2009.
[12] Vanessa Frias-Martinez, Joseph Sherrick, Salvatore J. Stolfo, Angelos D. Keromytis, "A Network Access Control Mechanism Based on Behavior Profiles", Annual Computer Security Applications Conference (ACSAC), 2009.
[13] Diibendorfer, T., Plattner, B., "Host behaviour based early detection of worm outbreaks in Internet backbones", 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE), 2005.
[14] Dubendorfer, T., Wagner, A., Plattner, B., "A framework for real-time worm attack detection and backbone monitoring", First IEEE International Workshop on Critical Infrastructure Protection (IWCIP), 2005.
[15] Dressler Falko, Jaegers Wolfgang, German Reinhard, "Flow-based Worm Detection using Correlated Honeypot Logs" GI/ITG Communication in Distributed Systems (KiVS), 2007.
[16] Loras R. Even, "SANS Institute: What is a Honey Pot? ", July 12, 2000
[17] Livadas, C., Walsh R., Lapsley David, Strayer, W.T., "Using Machine Learning Technliques to Identify Botnet Traffic", 31st IEEE Conference on Local Computer Networks(LCN), 2006.
[18] Anestis Karasaridis, Brian Rexroad, David Hoeflin, "Wide-scale botnet detection and characterization", in Proc. of the first conference on First Workshop on Hot Topics in Understanding Botnets(HotBots'07), 2007.
[19] Valentín Carela-Español, Pere Barlet-Ros, Albert Cabellos-Aparicio, Josep Solé-Pareta, "Analysis of the impact of sampling on NetFlow traffic classification", Computer Networks: The International Journal of Computer and Telecommunications Networking, Volume 55, Issue 5, pp1083-1099, April, 2011.
[20] Fioreze Tiago, Granville Lisandro Zambenedetti, Pras Aiko, Sperotto Anna, Sadre Ramin, "Self-Management of Hybrid Networks: Can We Trust NetFlow Data?", 11th IFIP/IEEE International Symposium on Integrated Network Management (IM), 2009.
[21] Ignasi Paredes-Oliva, Pere Barlet-Ros, Josep Solé-Pareta, "Portscan Detection with Sampled NetFlow", Traffic Monitoring and Analysis Lecture Notes in Computer Science Volume 5537, pp 26-33, 2009.
[22] Robin Sommer, Anja Feldmann, "NetFlow: Information loss or win?", the 2nd ACM SIGCOMM Workshop on Internet measurement (IMW), 2002.
[23] Ahmad Jakalan, Jian Gong, Shangdong Liu, "Profiling IP Hosts Based on Traffic Behavior", IEEE International Conference on Communication Software and Networks (ICCSN), 2015
[24] Nuno M. Garcia, Paulo P. Monteiro, Mario M. Freire, "Measuring and Profiling IP Traffic", Fourth European Conference on Universal Multiservice Networks (ECUMN), 2007
[25] Arthur Callado, Carlos Kamienski, Geza Szabo, Balazs Peter Gero, Judith Kelner, Stenio Fernandes, Djamel Sadok, "A Survey on Internet Traffic Identification", Volume 11, Issue 3, IEEE Communications Surveys & Tutorials, 2009
[26] Maryam M. Najafabadi, Taghi M. Khoshgoftaar, Chad Calvert, Clifford Kemp, "Detection of SSH Brute Force Attacks Using Aggregated Netflow Data", IEEE 14th International Conference on Machine Learning and Applications (ICMLA), 2015
[27] Martin Husák, Petr Velan, Jan Vykopal, "Security Monitoring of HTTP Traffic Using Extended Flows", 10th International Conference on Availability, Reliability and Security (ARES), 2015
[28] Kimberly Graves, "Official Certified Ethical Hacker Review Guide", Wiley Publishing, pp.15-65, February 2007
[29] Jayant Gadge, Anish Anand Patil, "Port scan detection", 16th IEEE International Conference on Networks, 2008
[30] Mehiar Dabbagh, Ali J. Ghandour, Kassem Fawaz, Wassim El Hajj, Hazem Hajj, "Slow port scanning detection", 7th International Conference on Information Assurance and Security (IAS), 2011
[31] Alberto Dainotti, Alistair King, Kimberly Claffy, Ferdinando Papale, Antonio Pescapé, "Analysis of a “/0” Stealth Scan From a Botnet", IEEE/ACM Transactions on Networking, Volume 23, Issue 2, 2014
[32] Parbati Kumar Manna, Shigang Chen, Sanjay Ranka, "Inside the Permutation-Scanning Worms: Propagation Modeling and Analysis", IEEE/ACM Transactions on Networking, Volume 18, Issue 3, 2009
[33] Tomohiro Kobori, Hiroaki Kikuchi, Masato Terada, "Internet Observation with ISDAS: How Long Does a Worm Perform Scanning? ", Third International Conference on Availability, Reliability and Security, 2008
[34] Yong Jin, Hikaru Ichise, Katsuyoshi Iida, "Design of Detecting Botnet Communication by Monitoring Direct Outbound DNS Queries", IEEE 2nd International Conference on Cyber Security and Cloud Computing (CSCloud), 2015
[35] Hyunsang Choi, Hanwoo Lee, Heejo Lee, Hyogon Kim, "Botnet Detection by Monitoring Group Activities in DNS Traffic", 7th IEEE International Conference on Computer and Information Technology, 2007
[36] Iria Prieto, Eduardo Magaña, Daniel Morató, Mikel Izal, "Botnet detection based on DNS records and active probing", Proceedings of the International Conference on Security and Cryptography (SECRYPT), 2011
[37] Xiaobo Ma, Jianfeng Li, Jing Tao, Xiaohong Guan, "Towards active measurement for DNS query behavior of botnets", IEEE Global Communications Conference (GLOBECOM), 2012
[38] Jian Jin, Zhiwei Yan, Guanggang Geng, Baoping Yan, "Botnet Domain Name Detection based on machine learning", 6th International Conference on Wireless, Mobile and Multi-Media (ICWMMN), 2015
[39] N. S. Raghava, Divya Sahgal, Seema Chandna, "Classification of Botnet Detection Based on Botnet Architechture", International Conference on Communication Systems and Network Technologies (CSNT), 2012
[40] Mark Graham, Adrian Winckles, Erika Sanchez-Velazquez, "Botnet detection within cloud service provider networks using flow protocols", IEEE 13th International Conference on Industrial Informatics (INDIN), 2015
[41] Citrix System, Inc., "XenServer", 2015. [Online]. http://xenserver.org/overview-xenserver-open-source-virtualization/download.html
[42] Jekyll, "Open vSwitch", 2014 [Online] http://openvswitch.org/
[43] Basil AsSadhan, Jose M. F. Moura, David Lapsley, "Periodic Behavior in Botnet Command and Control Channels Traffic", IEEE Global Telecommunications Conference, 2009
[44] "Zeus Bot's User Guide", [Online] http://pastehtml.com/view/1ego60e.html
[45] Dmitri Bekerman, Bracha Shapira, Lior Rokach, Ariel Bar, "Unknown malware detection using network traffic classification", IEEE Conference on Communications and Network Security (CNS), 2015
[46] Alexander Adamov, Vladimir Hahanov, Anders Carlsson, "Discovering new indicators for botnet traffic detection", East-West Design & Test Symposium (EWDTS), 2014
[47] Jan Kohout, Tomáš Pevný, "Unsupervised detection of malware in persistent web traffic", IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP), 2015
[48] NFDUMP [Online] http://nfdump.sourceforge.net/
[49] Chen-Ying Kuo, "Design and Implement of a Network Intrusion Detection System Based on NetFlow", Institute of Computer and Communication Engineering National Cheng Kung University, 2015
[50] Shadowserver [Online] https://www.shadowserver.org/
[51] University of Michigan Internet-Wide Scanning Research [Online] http://researchscan288.eecs.umich.edu/
[52] Microsoft Technet Forum, "PC trying to go 111.111.111.111", [Online] https://social.technet.microsoft.com/Forums/en-US/5a59dcd6-04cb-4b41-a21d-63bcaa5c339a/pc-trying-to-go-111111111111?forum=w7itprosecurity
[53] OpenFoundry, "Network Vulnerability Scanner", 6 October 2014, [Online] http://www.openfoundry.org/en/resourcecatalog/Security/Network-Vulnerability-Scanner#
[54] OpenVAS [Online] http://www.openvas.org/
[55] Nessus [Online] http://www.tenable.com/products/nessus-vulnerability-scanner
[56] FormosaAuditor [Online] http://formosaauditor.com/product/features-tw.php
[57] GNU General Public License [Online] https://www.gnu.org/licenses/gpl-3.0.html
[58] ipinfo.io [Online] https://ipinfo.io/
[59] Blacklist Check [Online] https://www.whatismyip.com/blacklist-check/
[60] XenServer [Online] http://xenserver.org/
[61] Joe Davies, "Chapter 12 - Windows Internet Name Service Overview", 2006 https://technet.microsoft.com/library/bb727015.aspx
[62] Tom Olzak, "The problem with NetBIOS", 2007 http://www.techrepublic.com/blog/it-security/the-problem-with-netbios/
[63] Nmap [Online] https://nmap.org/
[64] Internet Printing Protocol [Online] http://www.pwg.org/ipp/
[65] Samba [Online] https://www.samba.org/
[66] Quttera [Online] http://quttera.com/sitescan/
[67] Sucuri [Online] http://sitecheck.sucuri.net/
[68] Baidu [Online] http://home.baidu.com/index.html
[69] Malware entry: MW:BLK:2 [Online] http://labs.sucuri.net/db/malware/malware-entry-mwblk2
論文全文使用權限
  • 同意授權校內瀏覽/列印電子全文服務,於2021-07-31起公開。
  • 同意授權校外瀏覽/列印電子全文服務,於2021-07-31起公開。


  • 如您有疑問,請聯絡圖書館
    聯絡電話:(06)2757575#65773
    聯絡E-mail:etds@email.ncku.edu.tw