| As the Internet has been widely applied to many domain, especially in the network information technology application domain , the essential and large-scale network , such as party or politics department information system, finance operational system , enterprise commerce system and so on, but while various countries depend to Internet highly, the large-scale abnormal events which were mostly brought by DDoS(Distributed Denial of Service) and Worm attack already became a main security threat. Nearly each time of this kind of abnormity events break out gives the entire society huge economic loss. Therefore, in order to safeguard the network security, research on the detecting and early finding of large-scale DDoS and worm attack is extremely essential.This thesis first introduced the latest research on large-scale network abnormal event, and analyzed the domestic and foreign main technology and the product on DDoS & Worm, simultaneously had pointed out its insufficiency, and gave the improvement and research direction. After that this thesis analyzed the system function demand, and has produced the whole design according to the demand, including the detecting and finding method which adopted, system structure, physical deployment and so on.This thesis specified the implement of the large-scale abnormity detecting system which based on the network data stream: network data stream processing, the mechanism of abnormal detecting, the correlation of alarm information and so on, simultaneously provided the key functions and essential algorithm of the system implement. The system based on the data stream to detect the abnormal events ,adapted two kinds of detecting model, could monitor the large-scale network, processed network sudden change rapid and effectively. This System submitted messages by network, such as to provide the warning information to the platform of manage, not only can provide various information of the events, such as the time of event, moreover may provide the network dataflow, the abnormal event type, the source information, the last time of attack, the importance as well as the confidence and so on. At the same time, the system correlated the alarm information from different sensors, provided abnormal information of the whole network by high-grade processing, remove the duplicate alarms and various alarms which different steps of a same event.This thesis finally provided the method of system management, and the test of system, according to the test data, draws the conclusion: The system may effectively detect and find the large-scale network abnormal behavior, conforms to the system demand. |
PDF Full Text Request