| Due to the vulnerability of network security mechanism, the limitation of network security products and the increasing rampancy of malicious activities, network security situation is not so optimistic. As one of the brand-new network security guarantee systems, Network Security Situational Awareness System (NSSAS) is aimed to guarantee network security through monitoring network in real time, recognizing and defending against malicious behavior before it gets out of control. NetFlow-based Network Security Situational Awareness Sensor, as an important information gathering equipment of Network Security Situational Awareness System, is responsible for getting information which is essential for the system to understand present network status and predict the trend correctly.In this thesis, the technique principle and the application of the NetFlow is firstly illustrated, as well as network situation information NetFlow contains, and the advantages and disadvantages if it is taken as the data source is discussed.Secondly, characteristics of the NetFlow information are studied and corresponding capturing method is proposed. Then the change law of the NetFlow data caused by network anomalies like scanning, worms, Trojan horses, DOS/DDOS attacks is also studied, and a layered detection model that combines baseline-based detection layer and signature-based detection layer is proposed.Thirdly, the design and implementation of NetFlow-based Network Security Situational Awareness Sensor is carried out, including module division, interface designing, workflow designing and module implementation.Finally, the experimental verification of NetFlow-based Network Security Situation Awareness Sensor is carried out, including on-site verification and DARPA data replay verification. The experimental results show that the sensor can efficiently and accurately detect malicious activities with notable traffic patterns or connection patterns, such as scanning, the worm outbreak, DOS/ DDOS attacks and so on. |
PDF Full Text Request