Design and Implementation of Insider Threats Detection System Based on NetFlow

• Main Authors: Chia-ChengTu, 涂嘉成
• Other Authors: Chu-Sing Yang
• Format: Others
• Language: en_US
• Published: 2016
• Online Access: http://ndltd.ncl.edu.tw/handle/55583410806878010535

碩士 === 國立成功大學 === 電腦與通信工程研究所 === 104 === Internet technology grows faster with higher and higher bandwidth. More and more services are running in the Academic Network including entertainment and education not just for research. How to manage such a huge network becomes a big issue for administrators. To prevent malicious utilization of network resource, it is important to design a system to find out the hosts in the net with abnormality. Though Intrusion Detection System and Firewall are both famous defensive ways to protect the network, there is still a great chance for hacker to invade the hosts. For example, APT usually uses social engineering focusing on humanity to invade, and the traffic of it seems like normal one. It is hard to defend it because if it is blocked, normal services such as web service and mail service are blocked, too. This situation also happens in virtual environment, and we should face it and resolve it. We may not be aware of the invasion, but we can discover the abnormal traffic made from these invaded hosts. It is no need to install agent on each host by observing the traffic. We just have to configure router or switch to export the flow data and then analyze it. It is also convenient to use open-source tools to make the traffic export in NetFlow format. The advantage of NetFlow is discarding the packet payload and just leaving the information of header. As a result, we can observe the traffic by flow not by packet reducing loading of system and promoting the efficiency. The system extracts the abnormal behavior patterns from traffic and then aggregates them to generate the IP address list with suspicious hosts. It is not only provided for users to check their hosts but also convenient for administrator to manage the net.