In this paper, a flow analysis and monitoring system based on NetFlow is introduced. The system is built on a Browser Server framework, aimed at enterprise networks. Data collection and display are separated into two modules, which makes the system clearly demarcated and easy to deploy. The data collection module receives and analyzes NetFlow-exported packets and inserts per flow record information into the Oracle database. The display module acts as a J2EE web server, fetches real-time or history traffic information from the database and shows it to web users. In addition to the above-mentioned functions, the most important part of the system is an IDS. A real-time anomalous traffic monitoring module with a stable matching pattern algorithm and two traffic statistic based intrusion detection algorithms - one algorithm is based on variance similarity while the other is based on Euclidean distance - are embedded in the system to detect worm and other malicious attacks. With the aim of identifying anomalous network traffic simply and effectively, a proved "join" strategy is also designed along with the two traffic statistic based intrusion detection algorithms. The whole IDS module is able to run with low computational complexity and high detection accuracy. Finally, we conduct experiments to verify the performance of our system.

• 出版日期2008-4-10
• 单位清华大学; 北京邮电大学