Practical Experiences of Building an IPFIX Based Open Source Botnet Detector

The academic study of flow-based malware detection has primarily focused on NetFlow v5 and v9. In 2013 IPFIX was ratified as the flow export standard. As part of a larger project to develop protection methods for Cloud Service Providers from botnet threats, this paper considers the challenges involved in designing an open source IPFIX based botnet detection function. This paper describes how these challenges were overcome and presents an open source system built upon Xen hypervisor and Open vSwitch that is able to display botnet traffic within Cloud Service Provider-style virtualised environments. The system utilises Euler property graphs to display suspect “botnests”. The conceptual framework presented provides a vendor-neutral, real-time detection mechanism for monitoring botnet communication traffic within cloud architectures and the Internet of Things.

[1]  John B. Haviland Hey! , 2015, Top. Cogn. Sci..

[2]  Youngseok Lee,et al.  IPv6 Anomaly Traffic Monitoring with IPFIX , 2007, Second International Conference on Internet Monitoring and Protection (ICIMP 2007).

[3]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[4]  Petr Velan,et al.  Practical experience with IPFIX flow collectors , 2013, 2013 IFIP/IEEE International Symposium on Integrated Network Management (IM 2013).

[5]  Marcian Cirstea,et al.  A novel autonomous management distributed system for cloud computing environments , 2013, IECON 2013 - 39th Annual Conference of the IEEE Industrial Electronics Society.

[6]  Ruby B. Lee,et al.  Covert and Side Channels Due to Processor Architecture , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[7]  Ralf Steinmetz,et al.  Threat as a Service?: Virtualization's Impact on Cloud Security , 2012, IT Professional.

[8]  Yu-Lun Huang,et al.  Security Impacts of Virtualization on a Network Testbed , 2012, 2012 IEEE Sixth International Conference on Software Security and Reliability.

[9]  Sebastian Abt,et al.  Anomaly Detection and Mitigation at Internet Scale: A Survey , 2013, AIMS.

[10]  Mark Graham,et al.  Botnet detection within cloud service provider networks using flow protocols , 2015, 2015 IEEE 13th International Conference on Industrial Informatics (INDIN).

[11]  John B. Shoven,et al.  I , Edinburgh Medical and Surgical Journal.

[12]  Aiko Pras,et al.  Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX , 2014, IEEE Communications Surveys & Tutorials.

[13]  Brian Trammell,et al.  YAF: Yet Another Flowmeter , 2010, LISA.

[14]  George Varghese,et al.  Graption: A graph-based P2P traffic classification framework for the internet backbone , 2011, Comput. Networks.

[15]  Brian Trammell,et al.  Bidirectional Flow Export Using IP Flow Information Export (IPFIX) , 2008, RFC.

[16]  P ? ? ? ? ? ? ? % ? ? ? ? , 1991 .

[17]  Michael K. Reiter,et al.  Hit-List Worm Detection and Bot Identification in Large Networks Using Protocol Graphs , 2007, RAID.

[18]  Benoit Claise,et al.  Information Model for IP Flow Information Export (IPFIX) , 2013, RFC.

[19]  Timothy Winters,et al.  Virtualization of Home Network Gateways , 2014, Computer.