September 22, 2017, Friday, 264

FDNS

出自TYRC

跳轉到: 導覽, 搜尋

區網Cloud-based 異常流量偵測: http://www.tyrc.ncu.edu.tw/index.php/CFDNS

行政院國家科學委員會補助專題研究計畫

匯集網路異常訊務之偵測與通告系統

Flood Detection and Notification System over Aggregate Network

計劃編號: NSC 96-2218-E-008-010

計劃期限: 96年 8月1日 至 97年 7月31日

計劃主持人:楊素秋 (中央大學電算中心)

計劃參與人員: 劉秋美、呂芳發、包元輝、吳銹美 (中央大學電算中心) 賴昭榮、 林奇賦、林冠余 (中央大學資訊工程所)

作者網址: http://audp.tyc.edu.tw/Yang/index.php
下載網址: http://sourceforge.net/projects/fdns/
下載流量: https://sourceforge.net/project/stats/index.php?group_id=257228&ugn=fdns



摘要

由於遭誤用系統頻繁地傳送明顯的超量訊務給單一或多部主機 (destinations),且傳送超量訊務的持續時段也明顯拉長;而所有連網封包均需透過router轉送.利用匯集網路閘門router轉送紀錄,實作涵蓋廣範圍網路的異常偵測與通告系統顯然是最有效率且可行的做法.

FDNS系統首先擷取router Netflow 紀錄, 依據選定的port scan, spam, packet flooding 特徵辨識變量(vrflow_id),經累計/排序各vrflow_id 的訊務量,與multi-thresholds偵測程序後,突顯出連網之異常源端主機及其突增的具體傳訊數據, 此外, 系統也將偵測之flooding訊務數據,通告網路用戶,協助補強系統安全,阻斷攻擊行為.

Abstract
The rapid growth in DoS attack, spam and mass-mail viruses has increased the need to develop effective approaches for detecting the significant flooding maly. As all traffic between the public Internet and the customer’s desktop are interconnected through ISP’s access router, it is feasible and effective for adding an extra level flooding filtering over aggregate networks for detecting the source hosts that launch flooding based DoS attack and delivery huge amount of spam.

This work makes use of the transportation traffic log gathered from backbone router to develop flooding detection and notification system (FDNS) that measures, detects, and notices the extremely anomalous traffic according to the bulk distribution aspect of flooding traffic, including: packet flooding attack, portscan, spam distribution.

The system had been deployed over one core aggregate network of TANet (Taiwan Academic Network) for assisting network administrators and users grasp the anomalous traffic numeric.

關鍵字: PortScan, spam, packet flooding, Flooding detection, Automatic notification, ipRoute SNMP MIB.