The Research Of Abnormal Netflow Based Intrusion Detection System

Due to the popularity of Internet, people can access remote resource on the Internet conveniently. But numerous malicious network events such as computer virus and hacker attack make the network management more difficult. A network intrusion detection system is thus more and more demanding. In this thesis, a NetFlow based anomaly intrusion detection system is presented.Collection of the flow data is the foundation of a traffic monitoring system. The existing techniques of flow data collection are classed, and the NetFlow-based method is discussed deeply. Then discusse the characters of typical attacks such as network scan, resource misuse and DDOS. And then design and developed an abnormal NetFlow based intrusion detection system at Linux .In addition, guidelines to properly configure and setup network device to minimize the possibilities that network attacks come from inside are also proposed. As the Internet becomes the platform of daily activities, the threat of network attack is also become more serious. Firewall along is not capable to protect the system from being attacked through normal service channel. Furthermore, most of the current intrusion detection system focus on the border of organization network which does not provide protection to hosts in the local network and the network itself if the attack is from inside. Therefore, in addition to the firewall and border IDS, we need to use other type of intrusion detection system to protect the critical system as well as the network itself. The existing techniques of flow data collection are classed, and the NetFlow-based method is discussed deeply.We propose an inexpensive and easy to implement way to perform the anomaly type intrusion detection based on the NetFlow information exported from the routers or other network devices.When a DDos attack happens, the network traffic will increase evidently, and the percent os packets with new IP addresses in the network traffic will increase evidently too because a lot of spoofed and mendacious IP addresses are used.But in enterprise the rang of IP source address is static .We use the analysis of variance algorithm and the monitor of the range of source IP address to detect the abnormality of the percent of the new packets with new addresses.System can detect several types of network attack from inside or outside and perform counter maneuver accordingly.