| 摘要: | 論文提要 本論文陳述兩項主要的研究成果:洪流訊務檢測系統(FDS)與非內容查驗式的P2P訊務量測系統. FDS系統的第一要務是依據各類洪流攻擊特性選定傳訊特性項,作為訊務量測的基礎. 當轉送訊務紀錄被饋入系統時, 量測模組便能高效率地統計top-N的flooding訊務,例如:ICMP/UDP等即時性 packet flooding、 scanning/SYN flooding、 SMTP flooding.並提供檢測模組定期加總各時段的flooding訊務,比對packet size, packet rate或flow rate等訊務臨界值,篩選異常的攻擊訊務並自動通告用戶,或限制嚴重攻擊源的通訊. 本研究也依據P2P網路的高頻次連接特性,實做非內容查驗式的P2P訊務量測系統,協助網路用戶與管理者掌握大傳訊量的P2P節點, P2P應用阜的訊務分布. Flow-based FDS與P2P量測系統已成功地裝設於一個TANet骨幹節點網路,持續執行flooding訊務量測與檢測,自動發送電子郵件通知用戶或管理者修補感染的系統,也自動設定骨幹router限流嚴重的異常flooding訊務. 統計的通告abuse 訊務與flooding檢測結果間的相關數據也顯示: 相當高比率的被通告abuse主機 (包括: scanning/SYN flooding、 spam 、違反智財權) 可由自動檢測的異常訊務列中檢得. Abstract In this thesis, we present two specific contributions, the flow-based flooding detection system (FDS) and P2P traffic measurement system. The key idea of FDS is constructing the set of features and corresponding criteria according to the interested flooding behaviors, and aggregating the flooding traffic based on the constructed features. Then, the detection module accumulates the interested statistical variables, and compares those traffic variables with the thresholds. Once all the variables exceeded the estimated quantifiers, the detector alarms the anomalies and trigs response module to notify owners of the anomalous systems, and limit the significant real-time flooding traffic. The flow-based P2P traffic measurement system is developed based on the connection-intensive feature of P2P network for providing network users grasp the P2P traffic and the aggressive participants. FDS and P2P traffic measurement systems have been deployed over an aggregate network of TANet backbone for effectively detecting and limiting the significant flooding anomalies. The detection result shows that a high proportion of the notified abuse traffic, including port scanning, spam, and copyright infringement, could be picked up from the detected anomalies and the measured aggressive P2P peers. |
