【作者】 康秋生；

【导师】 杨永田；

【作者基本信息】 哈尔滨工程大学 ， 计算机应用技术， 2006， 硕士

【摘要】 由于互联网络已经渗透到各个行业领域，与其相关的网络信息技术的应用领域涉及了许多大型、关键的业务系统，如党政部门信息系统、金融业务系统和企业商务系统等，但是在世界各国对Internet的高度依赖的同时，针对大规模网络的以DDoS(Distributed Denial of Service，分布式拒绝服务)和蠕虫攻击等事件为主的恶意攻击已经成为Internet上的一个主要安全威胁，几乎每次这类异常事件的发作都给整个社会造成了巨大的经济损失。因此，为了保障网络安全，针对大规模DDoS及蠕虫攻击进行检测与预警是十分必要的。本文首先介绍了大规模网络异常的研究现状，分析了目前国内外主要的研究内容和产品技术，同时指出了其不足，给出了改进和研究的方向。接着本论文分析了系统的功能需求，并且根据需求给出了整体的设计，包括采取的检测方式，系统的体系结构，系统物理部署等内容。本文详细说明了基于网络数据流进行大规模异常检测的流程，包括网络数据流的处理方法，异常发现的机制，警报信息的关联融合处理等过程，同时给出了实现各功能的关键算法和技术。系统采取基于网络数据流的异常发现算法，采用多种检测模型，对大规模网络进行监控，能迅速有效的处理网络中的突变情况，不仅能确定异常源，而且可以提供异常发生时的各种信息，包括网络流量，异常事件的类型，攻击发起时间，持续时间，攻击的重要度以及置信度等详细信息。同时，系统对产生的警报信息进行关联处理，融合多个传感器的信息，对网络中的异常行为进行更高等级的处理，将重复的警报信息，以及一个攻击事件的多个不同警报信息进行处理。论文最后说明了系统的管理配置和测试方法，根据测试数据，得出结论：系统可以有效检测大规模网络异常行为，符合项目需求。更多还原

【Abstract】 As the Internet has been widely applied to many domain, especially in the network information technology application domain , the essential and large-scale network , such as party or politics department information system, finance operational system , enterprise commerce system and so on, but while various countries depend to Internet highly, the large-scale abnormal events which were mostly brought by DDoS(Distributed Denial of Service) and Worm attack already became a main security threat. Nearly each time of this kind of abnormity events break out gives the entire society huge economic loss. Therefore, in order to safeguard the network security, research on the detecting and early finding of large-scale DDoS and worm attack is extremely essential.This thesis first introduced the latest research on large-scale network abnormal event, and analyzed the domestic and foreign main technology and the product on DDoS & Worm, simultaneously had pointed out its insufficiency, and gave the improvement and research direction. After that this thesis analyzed the system function demand, and has produced the whole design according to the demand, including the detecting and finding method which adopted, system structure, physical deployment and so on.This thesis specified the implement of the large-scale abnormity detecting system which based on the network data stream: network data stream processing, the mechanism of abnormal detecting, the correlation of alarm information and so on, simultaneously provided the key functions and essential algorithm of the system implement. The system based on the data stream to detect the abnormal events ,adapted two kinds of detecting model, could monitor the large-scale network, processed network sudden change rapid and effectively. This System submitted messages by network, such as to provide the warning information to the platform of manage, not only can provide various information of the events, such as the time of event, moreover may provide the network dataflow, the abnormal event type, the source information, the last time of attack, the importance as well as the confidence and so on. At the same time, the system correlated the alarm information from different sensors, provided abnormal information of the whole network by high-grade processing, remove the duplicate alarms and various alarms which different steps of a same event.This thesis finally provided the method of system management, and the test of system, according to the test data, draws the conclusion: The system may effectively detect and find the large-scale network abnormal behavior, conforms to the system demand.更多还原