| With computer network scale and application fields enlarging day by day, network plays an important role in people's daily work and life. However, due to the increase of network complexity and heterogeneity, the amount of viruses spread via network and the malicious behaviors increasingly argument, which seriously affect network capacity and disturb the network regularity. In this case, how to guarantee the function of network to provide users a good network environment becomes a research issue.This thesis mainly introduces a design and application approach of network traffic anomaly detection and isolation system against campus network working on Windows operating system. This system can distinguish and identify certain typical abnormalities of host traffic and whole network. Also, it can detect the normality network equipment and physical link. This system is an important part of the campus network synthetic management system. This system is developed with Delphi and integrated with embedded MySQL database and WEB server-TinyWeb, which does not need database and WEB server in addition, so that it is easily configured and expanded, conveniently managed and transplant.The real-time network anomaly traffic detected and isolated system described in this thesis consists of five functional modules: traffic collecting module, traffic statistics module, traffic abnormality detecting module, abnormal host isolating module and graphic user interface. The main function of traffic collecting module is to collect network packets detected timely and efficiently and delivers them to the traffic statistics module to process. This system uses Snoop module based on WinPcap implements traffic collection. The network packets are delivered into separated buffer queues to be detected by the traffic statistics module. The aim of the traffic abnormality detecting module is to accomplish detecting tasks, the kernel of the detecting system. This system puts forward a concept of normal network baseline, embodies every kind of norms that reflects normal network behavior and natural capacity and detects network abnormalities with normal network baseline. A traffic statistics model is also built basedon AR model to process traffic abnormalities which is related to time. The abnormal hosts which are detected is processed with abnormal host isolating module. This module could alert administrator and cut off the network link to the abnormal host automatically. This system is managed on the WEB and accessed with GUI, which provides detection result reports to manager and receives commands from manger. |
PDF Full Text Request