尉遲監控系統：基於規則的企業網路流量監控與管理

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：63

、訪客IP：18.226.163.123

姓名

孫學任(Syue-Ren Sun) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

尉遲監控系統：基於規則的企業網路流量監控與管理

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 (2028-9-30以後開放)

摘要(中)

隨著雲端技術的普及和遠端工作模式興起，企業網路環境變得更加複雜，伴隨而來的安全風險也有所提升。本研究設計並實作了一套名為「尉遲監控系統」的基於規則的深度封包檢測流量監控系統，目標包括對區域網路進行檢測、分析封包特徵、儲存和檢視所有流量資訊、設計流量特徵的規則稽核系統、提供告警系統等。並進行了相關內網攻擊的實驗，系統成功檢測出惡意DNS請求、SMB蠻力攻擊和ARP欺騙等攻擊情境，且系統在長時間運行下表現穩定，具有良好的服務效能。在開發過程中，我們對NFStream開源專案作出了一些改進，經過向專案負責人提出合併請求後，我們的改進方案成功地被納入了該專案中。尉遲監控系統提供管理者一套網路流量監控系統，增進企業網路的安全防護。

摘要(英)

With the proliferation of cloud technology and the rise of remote work modes, the corporate network environment has become increasingly complex, and the accompanying security risks have also increased. This study designs and implements a rule-based deep packet detection traffic monitoring system named "YuChi Monitoring System". The objectives include monitoring local networks, analyzing packet features, storing and viewing all traffic information, designing a rule audit system for traffic features, and providing an alarm system. Some relevant internal network attack experiments were conducted, and the system successfully detected attack scenarios such as malicious DNS requests, SMB brute force attacks, and ARP spoofing. The system performs stably over extended periods of operation, demonstrating excellent service performance. During the development process, we made an improvement to the NFStream open-source project and the changes have been merged into the project. The YuChi Monitoring System provides managers with a network traffic monitoring system, enhancing the security protection of corporate networks.

關鍵字(中)

★ 深度封包檢測
★ 流量識別
★ 入侵偵測系統

關鍵字(英)

★ Deep Packet Inspection (DPI)
★ Port Mirroring
★ Traffic Classification
★ Intrusion Detection System (IDS)

論文目次

中文摘要..................................................................................................... i
Abstract...................................................................................................... ii
圖目錄....................................................................................................... vi
表目錄...................................................................................................... vii
第 1 章緒論.............................................................................................1
第 2 章背景介紹 ....................................................................................4
2.1 深度封包檢測 .............................................................................4
2.2 nDPI..............................................................................................6
2.2.1 Flow Risk...........................................................................7
2.3 NFStream......................................................................................9
2.3.1 NFPacket..........................................................................10
2.3.2 NFlow ..............................................................................11
2.3.3 NFCache ..........................................................................12
2.3.4 NFPlugin..........................................................................12
2.3.5 FlowMeter........................................................................13
2.3.6 NFStreamer......................................................................13
2.4 Polars...........................................................................................16
第 3 章相關研究 ..................................................................................17
3.1 網路安全檢測 ...........................................................................17
3.1.1 Zeek .................................................................................17
3.1.2 Libprotoident ...................................................................17
3.1.3 Suricata ............................................................................18
3.1.4 Snort.................................................................................18
第 4 章系統架構與實作 ......................................................................19
4.1 設計目標 ...................................................................................19
4.2 系統架構 ...................................................................................20
4.3 系統元件 ...................................................................................22
4.3.1 DPI...................................................................................23
4.3.2 Classifier..........................................................................23
4.3.3 Frontend UI......................................................................25
4.3.4 Backend API ....................................................................27
4.3.5 Database...........................................................................28
4.3.6 Elasticsearch ....................................................................28
4.3.7 Kibana..............................................................................28
4.3.8 Mail Sender......................................................................30
第 5 章實驗結果與分析 ......................................................................31
5.1 實驗環境 ...................................................................................31
5.2 攻擊情境 ...................................................................................32
5.2.1 惡意 DNS 請求 ..............................................................32
5.2.2 SMB 蠻力攻擊................................................................33
5.2.3 ARP 欺騙.........................................................................35
5.3 效能測試 ...................................................................................35
第 6 章討論...........................................................................................39
6.1 貢獻：NFStream 開源專案......................................................39
6.2 DPI 比較.....................................................................................40
6.3 IDS 比較.....................................................................................42
6.4 系統限制 ...................................................................................43
6.5 未來展望 ...................................................................................44
第 7 章結論...........................................................................................45
參考文獻...................................................................................................46

參考文獻

[1] 余至浩, “【iThome 2022 CIO 大調查(中)｜企業上雲趨勢】雲端
投資明顯增長，高達 2 成企業擁抱多雲混合雲架構 | iThome,”
iThome, 22 08 2022. [ 線上 ]. Available:
https://www.ithome.com.tw/article/152579.
[2] P. Newton, “ Highlights from the 2023 Work-from-Anywhere
Global Study | Fortinet Blog,” Fortinet, 7 3 2023. [線上]. Available:
https://www.fortinet.com/blog/industry-trends/work-fromanywhere-global-study-2023-highlights.
[3] K. Bateson, “ Acronis End-of-Year Cyberthreats Report Finds
Average Cost, ” 19 12 2022. [ 線上 ]. Available:
https://www.globenewswire.com/newsrelease/2022/12/19/2576273/0/en/Acronis-End-of-YearCyberthreats-Report-Finds-Average-Cost-of-Data-BreachesExpected-to-Surpass-5-Million-Per-Incident-in-2023.html.
[4] “深度封包檢測 - 維基百科，自由的百科全書,” [線上].
Available: https://zh.wikipedia.org/zh-tw/深度封包檢測.
[5] L. Deri, M. Martinelli, T. Bujlow 且 A. Cardigliano, “nDPI:
Open-source high-speed deep packet inspection,” 於 International
Wireless Communications and Mobile Computing Conference,
Nicosia, Cyprus, 2014.
[6] Z. Aouini 且 A. Pekar, “ NFStream: A flexible network data
analysis framework, ” Computer Networks: The International
Journal of Computer and Telecommunications Networking, 第冊
204, 編號 C, 2022.
[7] T. T. Group, “the-tcpdump-group/libpcap: the LIBpcap interface to
various kernel packet capture mechanism,” The Tcpdump Group,
[線上]. Available: https://github.com/the-tcpdump-group/libpcap.
[8] “Foreign function interface - Wikipedia,” [線上]. Available:
https://en.wikipedia.org/wiki/Foreign_function_interface.
[9] xomnia, [線上]. Available: https://www.pola.rs/.
[10] V. Paxson, “Bro: a system for detecting network intruders in realtime,” Computer Networks: The International Journal of Computer
and Telecommunications Networking, 第冊 31, 編號 23-24, pp.
2435-2463, 1999.
[11] S. Alcock 且 R. Nelson, “Libprotoident: Traffic Classification
UsingLightweight Packet Inspection,” 2012.
[12] M. Roesch, “ Snort - Lightweight Intrusion Detection for
Networks,” LISA ′99: Proceedings of the 13th USENIX conference
on System administration, pp. 229-238, 12 11 1999.
[13] Fenny, “Fiber,” [線上]. Available: https://gofiber.io/.
[14] Jinzhu, “GORM - The fantastic ORM library for Golang, aims to
be developer friendly.,” [線上]. Available: https://gorm.io/.
[15] “PostgreSQL: The world′s most advanced open source database,”
The PostgreSQL Global Development Group, [線上]. Available:
https://www.postgresql.org/.
[16] C. Gilks, “ Gilks/mmcbrute: Bruteforce over SMB using pure
Python,” [線上]. Available: https://github.com/Gilks/mmcbrute.
[17] ssrtw, “feat: Add pcap socket buffer size config. by ssrtw · Pull
Request #162 · nfstream/nfstream, ” [ 線上 ]. Available:
https://github.com/nfstream/nfstream/pull/162.
[18] T. Rescio, T. Favale, F. Soro, M. Mellia 且 I. Drago, “DPI
Solutions in Practice: Benchmark and Comparison,” 於 IEEE
Symposium on Security and Privacy Workshops (SPW), San
Francisco, CA, USA, 2021.
[19] A. Waleed, A. F. Jamali 且 A. Masood, “Which open-source IDS?
Snort, Suricata or Zeek,” Computer Networks: The International
Journal of Computer and Telecommunications Networking, 第冊
213, 編號 C, 2022.

指導教授

許富皓

審核日期

2023-10-13

推文