Design And Realization Of Traffic Statistics And Anomaly Detecting System Based On Linux

The goal of this paper is to design and implement a traffic statistics and anomaly detection system based on Linux. The technology of traffic statistics and anormaly detection based on NetFlow have widespread application prospect. This paper is based on a practical project, Focusing on several aspects of NetFlow,such as generation, output, collection, statistic, anomaly detection and so on. this paper has done a lot of thorough researches, and put forward improvement for the output model and tne parameter optimization.On the NetFlow generating and collection, the principle and data format are understood by analyzing the source codes of nProbe and SILK. The specific file storing structure of SILK is discussed in this paper.On the NetFlow statistic, this paper introduces the principle, composition of SILK, also the main analysis tools such as rwfilter, rwtotal, rwcount in detail. The statistic results of rwfilter can only be exported to a file, named pipe or standard output, which increases the risk of error and affects the efficiency of the implementation. After modifying the source code of SILK, the problem has been well solved.On the NetFlow abnormally detection, the background and used methods is explained. A fine-grained monitoring policy on the abnormal protocol and port is determined by comparing a variety of abnormally monitoring methods. In monitoring model, the optimization of parameters determines the accuracy of abnormally detection warning, thus the parameters of monitoring model are optimized mostly in the system.As a well designed and implemented system, the hardware operating environment and software components of system are displayed in this paper, also the designs and implements of function models, flow charts. A small-scale testing environment is constructed to test the methods in this paper.The system has been applied in a small network environment, which can detect DOS,DDOS, worms and other attacking packets quickly and effectively. The researches on methods of anomaly flow monitoring may be helpful to the works in the future.