Design And Implementation Of The Flow Monitoring System Based On NetFlow

Since China's access to the Internet,China's network scale has developed rapidly and the types of network traffic are increasing.The problem that follows is that criminals use the concealment of the network to damage the network environment,and use destructive traffic information to attack normal networks or hosts,causing various network security problems.How to identify abnormal traffic and respond to it has become a hot research topic in network security.Through the study of the above problems,this paper designs and implements a NetFlow-based flow monitoring system.Monitor and analyze the traffic data in the network,and perform simple control operations on some abnormal traffic based on the analysis results.This paper first studies the NetFlow protocol and compares it with other traffic protocol formats to explain the advantages of using the NetFlow protocol.Based on the NetFlow protocol,a traffic collection module,analysis module and control module are designed.The flow collection module realizes the collection of flow data and displays the collected data.The analysis module uses DPI technology,rule set and LDA topic model algorithm to analyze the collected traffic data.The DPI technology can identify the type of the application layer protocol;the rule set can perform single-packet analysis and multi-packet analysis on the traffic,and can identify certain single-packet attacks and large-scale packet attacks in the network,such as Fraggle attacks and SYN-Flood attack.The LDA topic model for abnormal traffic analysis is an attempt by the Apache Spot open source project.Through the research on the Apache Spot project,the usage and process of the LDA topic model is summarized,and this method is used as a part of the traffic analysis module.Through the acquisition module and analysis module,suspicious traffic information can be obtained.The flow control module can perform simple control operations on these suspicious flows,mainly limiting speed,blocking and blacklisting.After testing,the system can collect and display the traffic data of the specified host,and can monitor common attack traffic through rule set analysis,and analyze the abnormal traffic in the data set provided by the Apache Spot community.Finally,these abnormal flows can be controlled simply.