【作者】 王子龙；

【导师】 王劲松；

【作者基本信息】 天津理工大学 ， 计算机应用技术， 2010， 硕士

【摘要】 伴随着互联网技术的高速发展,网络设备与计算机已经深入到国家机关、企业和千家万户中,我们对计算机网络的依赖性日益增强。同时我们要看到,许多计算机用户甚至网络管理人员安全意识薄弱,不能有效地保护自己的主机和网络。加上网络威胁层出不穷,不断变换着方式,严重威胁了计算机网络的安全。如何能保证计算机网络的安全,是一个富有挑战性的任务。僵尸木马、计算机病毒和蠕虫是目前网络中普遍存在的恶意代码。传统的基于应用层Payload的检测方法存在不能检测加密Payload或新出现的恶意代码,无法在Gbit/s级流量下进行检测和不能长期保存历史数据等不足。而且往往需要大量先验知识,在如今恶意代码更新迅速的情况下,该方法具有明显的滞后性。为此本文提出了一种基于流特征的恶意代码检测方法,能够较好地弥补上述不足。并且流作为标准(RFC 3917)已经被众多网络设备厂商支持,具备在真实环境下实验的条件。通过对校园网核心路由交换机发出的NetFlow数据的收集、统计与分析,本文发现了10余种网络漏洞扫描、3种蠕虫及1种僵尸木马的流特征,以及一些目前暂时无法定性的异常流特征。此外,本文还实现了图形化的流特征统计,包括常用协议分布、主机双向流量TOP N、主机对外SYN连接TOP N、校园网TCP_flag位统计、校园网实时流量等功能。通过多种角度对数据统计并以图形界面显示,能更直观地发现什么时候校园网出现了异常流量,并且可以通过进一步分析流数据,以确定是何种异常流量。本文通过真实环境下的实验证明了基于流特征的恶意代码检测技术是可行的,并且能够有效弥补基于应用层Payload检测方法的不足。更多还原

【Abstract】 With the rapid development of Internet technology, network equipment and computer have been penetrated into the government offices deeply, business and families. At the same time, many computer users even network administrators are weak in security, and can not protect their host and network effectively. What is more, the threats to network are becoming more and more serious. How to ensure the security of computer networks is a challenging task.Botnet, virus and worm are malicious code in the current network. The traditional method which is based on application layer Payload can not detect the encryption Payload, can not discover new emerging malicious code, can not detecte in Gbit/s level and can not preserve historical data for long time, etc. It often requires significant priori knowledge of malicious code, in today’s fast update case of malicious code, the method has obvious lag. In this paper, we propose the detection of malicious code based on flow feature, which can make up those deficiencies, and as a standard (RFC 3917), it has been supported by a number of network equipment vendors. This method can be experimented in a real environment.The data NetFlow used in this paper is collected from the router of campus network core. By analyzing the data, we find ten more kinds of network vulnerability, three kinds of worms, and one kind of botnet, and other abnormal flow features that we can not ensure. In addition, we achieve the flow feature of graphical statistics, including the distribution of commonly used protocol, the host two-way traffic TOP N, the host external SYN connection to TOP N, campus network TCP_flag bit statistics, and campus real-time traffic and so on. From the result, we can find out when exception occurred in the campus network, and can further analyze the flow data to determine what kind of abnormal traffic.In this paper, the real-environment experiments show that the detection of malicious code based on flow feature is feasible and can effectively compensate for deficiencies of Payload detection method based on application layer.更多还原