基于NetFlow的网络流量异常检测技术研究

发布时间：2018-08-29 19:54

【摘要】：伴随着互联网的高速发展，互联网的应用在各个领域内得到了广泛的普及。现在网络已经无处不在，无论是办公还是娱乐都离不开网络，它成为了人们在平时的工作生活中的一部分。网络技术飞速发展带来的网络安全性逐渐本人们所关注，各种网络安全问题层出不穷，网络攻击、木马攻击、病毒传播等异常流量比比皆是，过去那些传统的入侵检测系统已经无法满足目前高速发展的网络环境了。基于上述背景，本文进行了相关研究工作。本文首先对网络流量的采集方法进行了相关的研究和探讨，并介绍了SNMP的采集方法、网络探针的采集方法、NetFlow的采集方法的基本原理，分析了这几种技术的优缺点，并在分析结果的基础之上对NetFlow的网络流量采集方法做了细致深入的研究工作，最终选择了基于NetFlow的采集方法。然后提出了一种基于聚类算法的异常流量检测算法。通过对网络异常流量的内在相关特征做了重点的分析，依据其特征设计了基于聚类的异常检测算法，该算法通过相似度和互联性这个评价标准，通过合并这两类高标准用以提高该聚类算法的质量。第三，本文设计实现了网络流量异常检测系统的模型，该模型主要包括数据采集模块、信息统计模块、异常检测模块、报警及信息呈现模块这四部分组成。数据采集模块首先对NetFlow从路由器出口采集得带的数据信息进行检测和数据处理，然后将处理后的数据存入数据库，信息统计模块则将采集的信息进行聚合处理并将得到的数据存入数据库，并将统计信息展示给用户；异常检测主要是对流量异常检测，，它能检测出流量异常的主机并定位。通过对系统的测试和模拟实现，可以发掘网络流量异常并检测出异常流量的主机。
[Abstract]:With the rapid development of the Internet, the application of the Internet has been widely spread in various fields. Now the network has been everywhere, whether office or entertainment can not do without the network, it has become a part of people's normal work and life. The network security brought by the rapid development of network technology is gradually concerned by us. Various network security problems emerge in endlessly, such as network attack, Trojan horse attack, virus spread and other abnormal traffic can be found everywhere. In the past, the traditional intrusion detection system can not meet the rapid development of the network environment. Based on the above background, this paper has carried on the related research work. In this paper, the collection method of network flow is studied and discussed, and the acquisition method of SNMP and the basic principle of acquisition method of network probe are introduced, and the advantages and disadvantages of these techniques are analyzed. On the basis of the analysis results, the paper makes a detailed and thorough research on the network traffic collection method of NetFlow, and finally chooses the method based on NetFlow. Then, an anomaly detection algorithm based on clustering algorithm is proposed. Based on the analysis of the inherent correlation features of network abnormal traffic, a clustering based anomaly detection algorithm is designed, which is evaluated by similarity and interconnection. The quality of the clustering algorithm is improved by combining these two kinds of high standards. Thirdly, the model of network traffic anomaly detection system is designed and implemented in this paper. The model consists of four parts: data acquisition module, information statistics module, anomaly detection module, alarm module and information presentation module. The data acquisition module firstly detects and processes the data information collected by NetFlow from the router outlet, and then stores the processed data into the database. The information statistics module aggregates the collected information and stores the acquired data to the database and displays the statistical information to the user. The anomaly detection is mainly to detect the flow anomaly and it can detect the host computer with the abnormal flow and locate it. Through the test and simulation of the system, we can discover the abnormal network traffic and detect the abnormal traffic.
【学位授予单位】：河北大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.06

【参考文献】