如今網路技術的快速發展為我們的生活帶來了許多便利性，在現代社會中已經是不可或缺的存在，另一方面，也存在著隱藏的風險，網路惡意攻擊愈來愈氾濫，有使用埠口掃描(Port Scan)對主機進行初步的試探，也有透過遠端連線(Remote Access)進行暴力破解(Brute Force)，有針對特定服務的漏洞進行的攻擊，更甚至使用不當方式佔用系統資源，如：CPU、網路頻寬、記憶體等，使系統運作無法正常進行。在網路如此發達的現在，快速且精準地發現這現這些惡意行為也是愈發重要。
本研究主要透過使用Entropy的特性對埠口掃描、IP掃描、暴力破解以及洪水攻擊(Flooding Flow)進行分析，並對在校園內外所產生NetFlow數據，提出能夠準確判斷攻擊的方法。此研究除了可以分析過去的資料外，也可以應用在真實的網路環境中，並且對實時的流量進行分析。

Nowadays, the rapid development of network technology has brought a lot of convenience to our life, and it has become an indispensable existence in modern society. Some use port scan (Port Scan) to conduct preliminary testing of the host, some use remote connection (Remote Access) to perform brute force cracking (Brute Force), some are attacked against the vulnerabilities of specific services, and even use improper methods to occupy System resources, such as CPU, network bandwidth, memory, etc., prevent the system from functioning properly. Now that the Internet is so developed, it is more and more important to detect these malicious behaviors quickly and accurately.

This research mainly analyzes port scanning, IP scanning, brute force cracking and flooding attack by using the features of Entropy, and proposes a method that can accurately judge the attack based on the NetFlow data generated inside and outside the campus. In addition to analyzing past data, this research can also be applied to real network environments and analyze real-time traffic.

[1] Eric Hutchins, Michael Cloppert, Rohan Amin (2020) [online] Cyber Kill Chain.
[2] Lazarevic, A., Kumar, V., & Srivastava, J. (2005). Intrusion detection: A survey. In Managing Cyber Threats (pp. 19-78). Springer, Boston, MA.
[3] Ingham, K., & Forrest, S. (2002). A history and survey of network firewalls. University of New Mexico, Tech. Rep.
[4] Sabahi, F., & Movaghar, A. (2008, October). Intrusion detection: A survey. In 2008 Third International Conference on Systems and Networks Communications (pp. 23-26). IEEE.
[5] Zhang, X., Li, C., & Zheng, W. (2004, September). Intrusion prevention system design. In The Fourth International Conference on Computer and Information Technology, 2004. CIT'04. (pp. 386-390). IEEE.
[6] Vokorokos, L., & Baláž, A. (2010, May). Host-based intrusion detection system. In 2010 IEEE 14th International Conference on Intelligent Engineering Systems (pp. 43-47). IEEE.
[7] Vigna, G., & Kemmerer, R. A. (1999). NetSTAT: A network-based intrusion detection system. Journal of computer security, 7(1), 37-71.
[8] Saad, S., Traore, I., Ghorbani, A., Sayed, B., Zhao, D., Lu, W., ... & Hakimian, P. (2011, July). Detecting P2P botnets through network behavior analysis and machine learning. In 2011 Ninth annual international conference on privacy, security and trust (pp. 174-180). IEEE.
[9] Pleskonjic, D. (2003, December). Wireless intrusion detection systems (WIDS). In 19th Annual Computer Security Applications Conference.
[10] Peddabachigari, S., Abraham, A., Grosan, C., & Thomas, J. (2007). Modeling intrusion detection system using hybrid intelligent systems. Journal of network and computer applications, 30(1), 114-132.
[11] Lakhina, A., Crovella, M., & Diot, C. (2005). Mining anomalies using traffic feature distributions. ACM SIGCOMM computer communication review, 35(4), 217-228.
[12] Zhengbing, H., Zhitang, L., & Junqi, W. (2008, January). A novel network intrusion detection system (nids) based on signatures search of data mining. In First International Workshop on Knowledge Discovery and Data Mining (WKDD 2008) (pp. 10-16). IEEE.
[13] Garcia-Teodoro, P., Diaz-Verdejo, J., Maciá-Fernández, G., & Vázquez, E. (2009). Anomaly-based network intrusion detection: Techniques, systems and challenges. computers & security, 28(1-2), 18-28.
[14] Liao, H. J., Lin, C. H. R., Lin, Y. C., & Tung, K. Y. (2013). Intrusion detection system: A comprehensive review. Journal of Network and Computer Applications, 36(1), 16-24.
[15] Hindy, H., Brosset, D., Bayne, E., Seeam, A., Tachtatzis, C., Atkinson, R., & Bellekens, X. (2018). A taxonomy and survey of intrusion detection system design techniques, network threats and datasets. arXiv preprint arXiv:1806.03517.
[16] Khraisat, A., Gondal, I., Vamplew, P., & Kamruzzaman, J. ”Survey of intrusion detection systems: techniques, datasets and challenges”, Cybersecurity, vol 2, no 1,pp. 20, 2019.
[17] Ye, N., Emran, S. M., Chen, Q., & Vilbert, S. (2002). Multivariate statistical analysis of audit trails for host-based intrusion detection. IEEE Transactions on computers, 51(7), 810-820.
[18] Viinikka, J., Debar, H., Mé, L., Lehikoinen, A., & Tarvainen, M. (2009). Processing intrusion detection alert aggregates with time series modeling. Information Fusion, 10(4), 312-324.
[19] Wu, Q., & Shao, Z. (2005, October). Network anomaly detection using time series analysis. In Joint international conference on autonomic and autonomous systems and international conference on networking and services-(icas-isns' 05) (pp. 42-42). IEEE.
[20] Walkinshaw, N., Taylor, R., & Derrick, J. (2016). Inferring extended finite state machine models from software executions. Empirical Software Engineering, 21(3), 811-853.
[21] Studnia, I., Alata, E., Nicomette, V., Kaâniche, M., & Laarouchi, Y. (2018). A language-based intrusion detection approach for automotive embedded networks. International Journal of Embedded Systems, 10(1), 1-12.
[22] Kim, G., Lee, S., & Kim, S. (2014). A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert Systems with Applications, 41(4), 1690-1700.
[23] Moore, A. W., & Zuev, D. (2005, June). Internet traffic classification using bayesian analysis techniques. In Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems (pp. 50-60).
[24] Altwaijry, H. (2013). Bayesian based intrusion detection system. In IAENG Transactions on Engineering Technologies (pp. 29-44). Springer, Dordrecht.
[25] Koc, L., Mazzuchi, T. A., & Sarkani, S. (2012). A network intrusion detection system based on a Hidden Naïve Bayes multiclass classifier. Expert Systems with Applications, 39(18), 13492-13500.
[26] Li, Y., & Guo, L. (2007). An active learning based TCM-KNN algorithm for supervised network intrusion detection. Computers & security, 26(7-8), 459-467.
[27] Lin, W. C., Ke, S. W., & Tsai, C. F. (2015). CANN: An intrusion detection system based on combining cluster centers and nearest neighbors. Knowledge-based systems, 78, 13-21.
[28] Aburomman, A. A., & Reaz, M. B. I. (2016). A novel SVM-kNN-PSO ensemble method for intrusion detection system. Applied Soft Computing, 38, 360-372.
[29] Chen, W. H., Hsu, S. H., & Shen, H. P. (2005). Application of SVM and ANN for intrusion detection. Computers & Operations Research, 32(10), 2617-2634.
[30] Mukkamala, S., Janoski, G., & Sung, A. (2002, May). Intrusion detection using neural networks and support vector machines. In Proceedings of the 2002 International Joint Conference on Neural Networks. IJCNN'02 (Cat. No. 02CH37290) (Vol. 2, pp. 1702-1707). IEEE.
[31] Li, Y., Xia, J., Zhang, S., Yan, J., Ai, X., & Dai, K. (2012). An efficient intrusion detection system based on support vector machines and gradually feature removal method. Expert Systems with Applications, 39(1), 424-430.
[32] Wang, G., Hao, J., Ma, J., & Huang, L. (2010). A new approach to intrusion detection using Artificial Neural Networks and fuzzy clustering. Expert systems with applications, 37(9), 6225-6232.
[33] Rutkowski, L., Jaworski, M., Pietruczuk, L., & Duda, P. (2013). Decision trees for mining data streams based on the gaussian approximation. IEEE Transactions on Knowledge and Data Engineering, 26(1), 108-119.
[34] Quinlan, J. R. (2014). C4. 5: programs for machine learning. Elsevier.
[35] Shen, C., Liu, C., Tan, H., Wang, Z., Xu, D., & Su, X. (2018). Hybrid-augmented device fingerprinting for intrusion detection in industrial control system networks. IEEE Wireless Communications, 25(6), 26-31.
[36] Ashfaq, R. A. R., Wang, X. Z., Huang, J. Z., Abbas, H., & He, Y. L. (2017). Fuzziness based semi-supervised learning approach for intrusion detection system. Information Sciences, 378, 484-497.
[37] Liao, M. Y., Luo, M. Y., Yang, C. S., Chen, C. H., Wu, P. C., & Chen, Y. W. (2012). Design and evaluation of deep packet inspection system: A case study. IET networks, 1(1), 2-9.
[38] Cascarano, N., Ciminiera, L., & Risso, F. (2010, March). Improving cost and accuracy of DPI traffic classifiers. In Proceedings of the 2010 ACM Symposium on Applied Computing (pp. 641-646).
[39] Jiang, W., Yang, Y. H. E., & Prasanna, V. K. (2010, April). Scalable multi-pIPeline architecture for high performance multi-pattern string matching. In 2010 IEEE International Symposium on Parallel & Distributed Processing (IPDPS) (pp. 1-12). IEEE.
[40] Claude Elwood Shannon (1948,July). A Mathematical Theory of Communication. The Bell System Technical Journal, Vol. 27, pp. 379–423, 623–656.
[41] https://zh.wikIPedia.org/wiki/ASCII
[42] David Albert Huffman(1952,September). A method for the construction of minimum-redundancy codes. Proceedings of the I.R.E(pp. 1098-1102).
[43] Jisa David, Ciza Thomas(2015, April). DDoS Attack Detection using Fast Entropy Approach on Flow-Based Network Traffic. Procedia Computer Science 50 (pp. 30 – 36).
[44] Mohammad Aladaileh , Mohammed Anbar, Iznan H. Hasbullah , Yousef K. Sanjalawe, and Yung-Wey Chong(2021,03). Entropy-Based Approach to Detect DDoS Attacks on Software Defined Networking Controller. Computers, Materials & Continua.
[45] Guo-Chih Hong(2019,July).Dynamic Threshold for DDoS Mitigation in SDN Enviroment.
[46] LEE W，XIANG D. Information-theoretic measures for anomaly detection. Proceedings of the IEEE symposium on security and privacy. 2001: p130-134．
[47] GU Y，MCCALLUM A AND TOWSLEY D. Detecting anomalies in network traffic using maximum Entropy estimation． Proceedings of the 5th ACM SIGCOMM conference on internet measurement. 2005: p345-350．
[48] LAKHINA A，CROVELLA M AND DIOT C. Mining anomalies using traffic feature distributions. Proceedings of the 2005 conference on applications， technologies， architectures， and protocols for computer communications. 2005: p217-228
[49] STANIFORD S，HOAGLAND J AND MCALERNEY J M. Practical automated detection of stealthy portscans． Computer Security. 2002: p105-136.
[50] FRAN OIS J，WANG S N. BotTrack: tracking botnets using NetFlow and pagerank. Networking 2011. 2011: p1-14
[51] George Nychis, Vyas Sekar, David G. Andersen, Hyong Kim, Hui Zhang(2008,Octorber). An Empirical Evaluation of Entropy-based Traffic Anomaly Detection pp. 151-156.
[52] 曾鼎凱. (2018). 應用XGBoost於NetFlow之惡意流量偵測之研究。國立成功大學電腦與通信工程研究所碩士論文，台南市。
[53] Nfdump.sourceforge.net. (2020). Network File System. [Online]. Available: http://nfdump.sourceforge.net/
[54] Iana.org(2020).Protocol Numbers. [Online]. Available: https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
[55] IPinfo.io (2020). Bogon IP. [Online]. Available: https://IPinfo.io/bogon
[56] 紀德欣. (2018). 基於雙向NetFlow惡意流量風險評估系統之研究。國立成功大學電腦與通信工程研究所碩士論文，台南市。
[57] Available: https://en.wikIPedia.org/wiki/Normal_distribution
[58] Available: https://en.wikIPedia.org/wiki/Three_Sigma
[59] Vanhauser-thc. (2020). [Online]. Available: https://github.com/vanhauser-thc/thc-hydra
[60] Available: https://github.com/phaag/nfdump
[61] Available: https://www.elastic.co/
[62] Available: https://www.elastic.co/kibana/
[63] Available: https://www.elastic.co/elasticsearch/
[64] Liying Li, Jianying Zhou, “Ning Xiao, DDoS Attack Detection Algorithms Based on Entropy Computing”. ICICS 2007, LNCS 4861, pp. 452–466, 2007.
[65] Xiang You, Yaokai Feng, Kouichi Sakurai, “Packet In message based DDoS attack detection in SDN network using OpenFlow” 2017 Fifth International Symposium on Computing and Networking, pp.522-528,2017.
[66] Xiao-Wu Liu, Hui Qiang Wang, Ying Liang, Ji-Bao Lai. (2007, August). Heterogeneous Multi-Sensor Data Fusion with Multi-Class Support Vector Machines: Creating Network Security Situation Awareness. In Machine Learning and Cybernetics, 2007 International Conference on (Vol. 5, pp. 2689-2694). IEEE.
[67] Martin Grill, Ivan Nikolaev, Veronica Valeros, Martin Rehak. (2015,July). Detecting DGA malware using NetFlow. In 2015 IFIP/IEEE International Symposium on Integrated Network Management (pp.11-15). IEEE.
[68] Mingfu Xue, Can He, Jian Wang, Weiqiang Liu. (2022, June). One-to-N & N-to-One: Two Advanced Backdoor Attacks Against Deep Learning Models. In IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING(pp. 1562-1578), IEEE.
[69] Cong Fan, Shi Chen, He Jiang, Yiwen Zhou. (2022, November). Detection of DDoS Attacks in Software Defined Networking Using Entropy. Available: https://doi.org/10.3390/app12010370