摘要註: |
網際網路己成為目前社會上不可或缺的一部份,除了傳統訊息公佈的功能外, 有各式各樣在過去無法想像的創新應用也不斷的被發展。但是隨著這部份的技術 持續發展,也有許多在過去我們無法想像的負面效用產生,其中惡意網路攻擊就 是其中最值得我們重視的議題之一,近年來己有許多研究報告與相關數據報告指 出,網路惡意攻擊己經造成許多企業嚴重的損失,更令人憂心的是這類的網路惡 意攻擊所採用的技術不斷的推陳出新,而目前的網路防禦機制大多皆以目前己經 存在的各式網路攻擊特徵為樣本,對於新興未知的攻擊方式則探討較少,目前大 多數的偵測系統對於未知攻擊都無法有很好的防禦效力,並且目前的網路範圍與 頻寬皆比過去提昇了許多,對於一種未知的異常事件或是新型態的攻擊手法在網 路上發生時,在我們將防禦系統更新之前很可能就己造成大規模的損害。有鑑於 此,本研究實際以 NetFlow 為基礎彙整了11項具代表性的流量變數,提出一個 以多變量常態模式為基礎的偵測方法,希望利用統計的技術建立正常網路傳輸流 量之行為概況,以偵測網路上異常或惡意攻擊行為的發生。本研究長期蒐集了學 術網路所使用的正常網路流量資料並於現行網路上建立一個快速的偵測系統,以 目前既有的 8 種網路攻擊異常事件實證本研究所提出的偵測模式,結果在網路發 生惡意網路攻擊事件時能有很好的偵測反應,並希望能藉由本研究的成果在未來 能於新型態網路攻擊事件發動時,提供網路管理人員更多更為重要的異常事件的 判斷依據。 Internet has becoming an important platform in our modern world, except the traditional usage of sharing information to other users, there are also a lot of innovative applications being deployed. However, with the rapid development of Internet technology, it causes many negative effects. Among them, the impact of malicious network attack is one of the issues which people care about the most. Many researches have mentioned network attack cause a serious damage to many enterprises in recent years. The more anxious situation is that the techniques of Internet attacks continuing to emerge. The major methods of intrusion prevention based on using existing attacks signature as training examples; however, this kind of prevent system can detect the existing attack method but they cannot have good performance to detect the new kind or unknown Internet malicious behaviors. Moreover, the network bandwidth and range of Internet become more and more large than past world. It may cause serious damage when encounter a new and unknown attack or an anomaly event. This research generalize 11 typical network traffic variables based on NetFlow network traffic data and propose a new network attack detection module using multivariate normal distribution model. The statistical technique can build a profile of normal network traffic behavior for detecting the malicious network attacks and anomaly events in real time. Our research collected a long term normal network traffic data and built a detection system. We also use 8 existing network attack method and anomaly event to evaluate the performance of our network attack detection module. When malicious network attacks occur, our module have well performance. We hope the result of this research can help network security managers to quickly and effectively detect new kind of Internet malicious events. |