Responsive image
博碩士論文 etd-0706104-012221 詳細資訊
Title page for etd-0706104-012221
論文名稱
Title
大型網路上的網路監控
Network Monitoring on Large Networks
系所名稱
Department
畢業學年期
Year, semester
語文別
Language
學位類別
Degree
頁數
Number of pages
49
研究生
Author
指導教授
Advisor
召集委員
Convenor
口試委員
Advisory Committee
口試日期
Date of Exam
2004-07-05
繳交日期
Date of Submission
2004-07-06
關鍵字
Keywords
安全事件追查、阻斷服務攻擊、蠕蟲、網路監控
NetFlow, worm propagation, flow profiling, network monitoring, DoS, security forensics
統計
Statistics
本論文已被瀏覽 5834 次,被下載 0
The thesis/dissertation has been browsed 5834 times, has been downloaded 0 times.
中文摘要
似乎有越來越多的安全事件持續在網路發生,因此網路管理者必須能夠盡快的找出惡意的流量,以迅速採取有效的對策。管理者為了要監控網路,必須即時的收集流量的相關資訊,不過,通常管理者會發現收集到的資訊不是太不詳細就是過於仔細。傳統上,最常利用的支援 SNMP 的工具,收集到的資料過於簡略。而封包截取工具探究流量內容過於深入,對網路效能會造成影響,尤其在大型網路中會更明顯。
通常將往返於兩個端點主機的一連串流量封包定義為 flow。今日,大部分的網路設備均支援輸出 flow 記錄的功能,能夠有效的提供網路使用和一些服務使用的相關記錄。Flow 似乎在簡略與詳細中取得了平衡。
NetFlow 幾乎已是 flow 技術中的產業標準。在此篇論文中,我們介紹,描述,探討了他的特性,優點,和長處。在網際網中有很多 flow 相關的工具可以自由取得。我們提出了一個架構,以讓管理者可以善加利用 flow 的記錄來有功效及有效率的監控網路。透過實際應用例子的呈現,我們證明了 flow 記錄的善加分析,可以給管理者帶來許多助益。管理者可以利用他們在即時監控,阻斷服務攻擊和蠕蟲的偵測,及追蹤驗證上等等方面。
Abstract
There seems to be more security events happening on the network nowadays, so the administrators have to be able to find the malicious activities in progress as soon as possible in order to launch effective and efficient countermeasures. The Network administrators need to monitor the networks through collecting real time traffic measurement data on their networks, but they might find that the data gathered seems to be too little or too much detail. SNMP-based tools traditionally adopted most often give too little. However, packet sniffing tools investigate too much, so that the performance is sacrificed, especially on a large network with heavy traffic.
Flows are defined as a series of packets traveling between the two communicating end hosts. Flow profiling functionality is built into most networking devices today, which efficiently provide the information required to record network and application resource utilization. Flow strikes a balance between detail and summary.
NetFlow is the de facto standard in flow profiling. We introduce, describe,and investigate its features, advantages, and strengths. Many useful flow-related tools are freely available on the Internet. A mechanism is proposed to make use of the flow logs to monitor the network effectively and efficiently. Through verification, it is believed that using flow logs can benefit the network administrator so much. The administrators can use them for timely monitoring, DoS and worm propagation detection, forensics et al.
目次 Table of Contents
Chapter 1 Introduction 1
1.1 The Threats of Worms 3
1.2 The Threats of DoS Attacks 5
1.3 Motivation 6
Chapter 2 Related Studies 7
2.1 The Spread Pattern of Worms 7
2.2 DoS Attacking Characteristics 9
2.3 SNMP-based Monitoring Tools 10
2.4 Packet-Sniffing Monitoring Tools 12
2.5 Netflow 16
Chapter 3 NetFlow Applications 20
3.1 Timely Monitoring 21
3.2 Network planning 21
3.3 Service monitoring and profiling 22
3.4 Host monitoring and profiling 23
3.5 Detecting DoS Attacks 24
3.6 Detecting Scans 25
3.7 Detecting Worm Propagation 26
3.8 Network Forensics 27
Chapter 4 System Design 29
4.1 System Architecture 29
4.2 Collecting Module 31
4.3 Statistic Analysis 32
4.4 Rule Based Analysis 35
4.5 Forensic Query 36
Chapter 5 Verification 38
5.1 IP Protocols Traffic Monitoring 38
5.2 Service Traffic Monitoring 40
5.3 Intrusion Detection 42
Chapter 6 Conclusions 45
References 47
參考文獻 References
[1] Tobias Oetiker, Dave Rand. “MULTI ROUTER TRAFFIC GRAPHER”,
http://people.ee.ethz.ch/~oetiker/webtools/mrtg/

[2] Jeff R. Allen
http://cricket.sourceforge.net/

[3] Nicholas Weaver. “A Brief History of The Worm”, INFOCUS, SecurityFocus, November 2001.
http://www.securityfocus.com/infocus/1515

[4] CAIDA. “Code-Red Worms: A Global Threat”, CAIDA
http://www.caida.org/analysis/security/code-red/index.xml

[5] CAIDA. ” Code-Red: a case study on the spread and victims of an Internet worm”, 2002 Sigcomm/Usenix Internet Measurement Workshop
http://www.caida.org/outreach/papers/2002/codered/codered.pdf

[6] Andrew Mackie, Jensenne Roculan, Ryan Russell, and Mario Van Velzen., ”Nimda Worm Analysis”, Incident Analysis Report, SecurityFocus, Septemper 2001. http://aris.securityfocus.com/alerts/nimda/010921-Analysis-Nimda-v2.pdf

[7] David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver. ”Inside the Slammer Worm”
http://www.computer.org/security/v1n4/j4wea.htm

[8] Kevin J. Houle, George M. Weaver. “Trends in Denial of Service Attack Technology”, CERT/CC, October 2001
http://www.cert.org.tw/archive/pdf/DoS_trends.pdf

[9] L. Arent, D. MuCullagh, “A Frenzy of Hacking Attacks”. Wired Online, February 2000.
http://www.wired.com/news/business/0,1367,34234,00.html
[10] N.Weaver. “WarholWorms: The Potential for Very Fast Internet Plagues”,
http://www.cs.berkeley.edu/~nweaver/warhol.html.

[11] Staniford, Stuart, Vern Paxson, and Nicholas Weaver. “How to Own the
Internet in Your Spare Time”, Proceedings of the 11th Usenet Security Symposium, San Francisco, CA. 5-9 Aug. 2002. USENIX Association.
http://www.usenix.org/publications/library/proceedings/sec02/full_papers/staniford/staniford.pdf

[12] CERT/CC. “CERT Advisory CA-2001-26 Nimda Worm”, Sept. 2001.
http://www.cert.org/advisories/CA-2001-26.html

[13] Ruby B. Lee ,“Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures”.
http://ww.ee.princeton.edu/~rblee/DoS%20Survey%20Paper_v7final.doc

[14] http://www.mrtg.org

[15] http://www.ntop.org/ntop.html

[16] http://www.tcpdump.org

[17] http://ipaudit.sourceforge.net

[18] Cisco White Paper. “NetFlow Services and Applications”
http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/napps_wp.pdf

[19] Cisco, “NetFlow Services Solutions Guide”
http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/netflsol/nfwhite.htm

[20] Dave Plonka,” FlowScan: A Network Traffic Flow Reporting and Visualization Tool”
http://net.doit.wisc.edu/~plonka/lisa/FlowScan/out.ps.gz

[21] John-Paul Navarro, Bill Nickless, & Linda Winkler - Argonne National Laboratory, “Combining Cisco NetFlow Exports with Relational Database Technology for Usage Statistics, Intrusion Detection, and Network Forensics”

[22] http://www.splintered.net/sw/flow-tools/

[23] http://net.doit.wisc.edu/~plonka/FlowScan/

[24] Daniel W. McRobb, “cflowd configuration”, 1998-1999.
http://www.caida.org/tools/measurement/cflowd/configuration/configuration.html

[25] http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
電子全文 Fulltext
本電子全文僅授權使用者為學術研究之目的,進行個人非營利性質之檢索、閱讀、列印。請遵守中華民國著作權法之相關規定,切勿任意重製、散佈、改作、轉貼、播送,以免觸法。
論文使用權限 Thesis access permission:校內校外均不公開 not available
開放時間 Available:
校內 Campus:永不公開 not available
校外 Off-campus:永不公開 not available

您的 IP(校外) 位址是 35.174.62.162
論文開放下載的時間是 校外不公開

Your IP address is 35.174.62.162
This thesis will be available to you on Indicate off-campus access is not available.

紙本論文 Printed copies
紙本論文的公開資訊在102學年度以後相對較為完整。如果需要查詢101學年度以前的紙本論文公開資訊,請聯繫圖資處紙本論文服務櫃台。如有不便之處敬請見諒。
開放時間 available 已公開 available

QR Code