Responsive image
博碩士論文 etd-0706104-012221 詳細資訊
Title page for etd-0706104-012221
Network Monitoring on Large Networks
Year, semester
Number of pages
Advisory Committee
Date of Exam
Date of Submission
NetFlow, worm propagation, flow profiling, network monitoring, DoS, security forensics
本論文已被瀏覽 5834 次,被下載 0
The thesis/dissertation has been browsed 5834 times, has been downloaded 0 times.
似乎有越來越多的安全事件持續在網路發生,因此網路管理者必須能夠盡快的找出惡意的流量,以迅速採取有效的對策。管理者為了要監控網路,必須即時的收集流量的相關資訊,不過,通常管理者會發現收集到的資訊不是太不詳細就是過於仔細。傳統上,最常利用的支援 SNMP 的工具,收集到的資料過於簡略。而封包截取工具探究流量內容過於深入,對網路效能會造成影響,尤其在大型網路中會更明顯。
通常將往返於兩個端點主機的一連串流量封包定義為 flow。今日,大部分的網路設備均支援輸出 flow 記錄的功能,能夠有效的提供網路使用和一些服務使用的相關記錄。Flow 似乎在簡略與詳細中取得了平衡。
NetFlow 幾乎已是 flow 技術中的產業標準。在此篇論文中,我們介紹,描述,探討了他的特性,優點,和長處。在網際網中有很多 flow 相關的工具可以自由取得。我們提出了一個架構,以讓管理者可以善加利用 flow 的記錄來有功效及有效率的監控網路。透過實際應用例子的呈現,我們證明了 flow 記錄的善加分析,可以給管理者帶來許多助益。管理者可以利用他們在即時監控,阻斷服務攻擊和蠕蟲的偵測,及追蹤驗證上等等方面。
There seems to be more security events happening on the network nowadays, so the administrators have to be able to find the malicious activities in progress as soon as possible in order to launch effective and efficient countermeasures. The Network administrators need to monitor the networks through collecting real time traffic measurement data on their networks, but they might find that the data gathered seems to be too little or too much detail. SNMP-based tools traditionally adopted most often give too little. However, packet sniffing tools investigate too much, so that the performance is sacrificed, especially on a large network with heavy traffic.
Flows are defined as a series of packets traveling between the two communicating end hosts. Flow profiling functionality is built into most networking devices today, which efficiently provide the information required to record network and application resource utilization. Flow strikes a balance between detail and summary.
NetFlow is the de facto standard in flow profiling. We introduce, describe,and investigate its features, advantages, and strengths. Many useful flow-related tools are freely available on the Internet. A mechanism is proposed to make use of the flow logs to monitor the network effectively and efficiently. Through verification, it is believed that using flow logs can benefit the network administrator so much. The administrators can use them for timely monitoring, DoS and worm propagation detection, forensics et al.
目次 Table of Contents
Chapter 1 Introduction 1
1.1 The Threats of Worms 3
1.2 The Threats of DoS Attacks 5
1.3 Motivation 6
Chapter 2 Related Studies 7
2.1 The Spread Pattern of Worms 7
2.2 DoS Attacking Characteristics 9
2.3 SNMP-based Monitoring Tools 10
2.4 Packet-Sniffing Monitoring Tools 12
2.5 Netflow 16
Chapter 3 NetFlow Applications 20
3.1 Timely Monitoring 21
3.2 Network planning 21
3.3 Service monitoring and profiling 22
3.4 Host monitoring and profiling 23
3.5 Detecting DoS Attacks 24
3.6 Detecting Scans 25
3.7 Detecting Worm Propagation 26
3.8 Network Forensics 27
Chapter 4 System Design 29
4.1 System Architecture 29
4.2 Collecting Module 31
4.3 Statistic Analysis 32
4.4 Rule Based Analysis 35
4.5 Forensic Query 36
Chapter 5 Verification 38
5.1 IP Protocols Traffic Monitoring 38
5.2 Service Traffic Monitoring 40
5.3 Intrusion Detection 42
Chapter 6 Conclusions 45
References 47
參考文獻 References
[1] Tobias Oetiker, Dave Rand. “MULTI ROUTER TRAFFIC GRAPHER”,

[2] Jeff R. Allen

[3] Nicholas Weaver. “A Brief History of The Worm”, INFOCUS, SecurityFocus, November 2001.

[4] CAIDA. “Code-Red Worms: A Global Threat”, CAIDA

[5] CAIDA. ” Code-Red: a case study on the spread and victims of an Internet worm”, 2002 Sigcomm/Usenix Internet Measurement Workshop

[6] Andrew Mackie, Jensenne Roculan, Ryan Russell, and Mario Van Velzen., ”Nimda Worm Analysis”, Incident Analysis Report, SecurityFocus, Septemper 2001.

[7] David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver. ”Inside the Slammer Worm”

[8] Kevin J. Houle, George M. Weaver. “Trends in Denial of Service Attack Technology”, CERT/CC, October 2001

[9] L. Arent, D. MuCullagh, “A Frenzy of Hacking Attacks”. Wired Online, February 2000.,1367,34234,00.html
[10] N.Weaver. “WarholWorms: The Potential for Very Fast Internet Plagues”,

[11] Staniford, Stuart, Vern Paxson, and Nicholas Weaver. “How to Own the
Internet in Your Spare Time”, Proceedings of the 11th Usenet Security Symposium, San Francisco, CA. 5-9 Aug. 2002. USENIX Association.

[12] CERT/CC. “CERT Advisory CA-2001-26 Nimda Worm”, Sept. 2001.

[13] Ruby B. Lee ,“Taxonomies of Distributed Denial of Service Networks, Attacks, Tools, and Countermeasures”.





[18] Cisco White Paper. “NetFlow Services and Applications”

[19] Cisco, “NetFlow Services Solutions Guide”

[20] Dave Plonka,” FlowScan: A Network Traffic Flow Reporting and Visualization Tool”

[21] John-Paul Navarro, Bill Nickless, & Linda Winkler - Argonne National Laboratory, “Combining Cisco NetFlow Exports with Relational Database Technology for Usage Statistics, Intrusion Detection, and Network Forensics”



[24] Daniel W. McRobb, “cflowd configuration”, 1998-1999.

電子全文 Fulltext
論文使用權限 Thesis access permission:校內校外均不公開 not available
開放時間 Available:
校內 Campus:永不公開 not available
校外 Off-campus:永不公開 not available

您的 IP(校外) 位址是
論文開放下載的時間是 校外不公開

Your IP address is
This thesis will be available to you on Indicate off-campus access is not available.

紙本論文 Printed copies
開放時間 available 已公開 available

QR Code