Towards real-time intrusion detection for NetFlow and IPFIX

DDoS attacks bring serious economic and technical damage to networks and enterprises. Timely detection and mitigation are therefore of great importance. However, when flow monitoring systems are used for intrusion detection, as it is often the case in campus, enterprise and backbone networks, timely data analysis is constrained by the architecture of NetFlow and IPFIX. In their current architecture, the analysis is performed after certain timeouts, which generally delays the intrusion detection for several minutes. This paper presents a functional extension for both NetFlow and IPFIX flow exporters, to allow for timely intrusion detection and mitigation of large flooding attacks. The contribution of this paper is threefold. First, we integrate a lightweight intrusion detection module into a flow exporter, which moves detection closer to the traffic observation point. Second, our approach mitigates attacks in near real-time by instructing firewalls to filter malicious traffic. Third, we filter flow data of malicious traffic to prevent flow collectors from overload. We validate our approach by means of a prototype that has been deployed on a backbone link of the Czech national research and education network CESNET.

[1]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[2]  James Won-Ki Hong,et al.  A flow-based method for abnormal network traffic detection , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[3]  Aiko Pras,et al.  Real-Time and Resilient Intrusion Detection: A Flow-Based Approach , 2012, AIMS.

[4]  Jake D. Brutlag,et al.  Aberrant Behavior Detection in Time Series for Network Monitoring , 2000, LISA.

[5]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[6]  Andrei M. Sukhov,et al.  Network Attack Detection at Flow Level , 2011, NEW2AN.

[7]  Aiko Pras,et al.  The effects of DDoS attacks on flow monitoring applications , 2012, 2012 IEEE Network Operations and Management Symposium.

[8]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[9]  Georg Carle,et al.  Application of Forecasting Techniques and Control Charts for Traffic Anomaly Detection , 2008 .

[10]  Georg Carle,et al.  Real-time Analysis of Flow Data for Network Attack Detection , 2007, 2007 10th IFIP/IEEE International Symposium on Integrated Network Management.

[11]  Jürgen Quittek,et al.  Architecture for IP Flow Information Export , 2009, RFC.

[12]  Connie M. Borror,et al.  EWMA techniques for computer intrusion detection through anomalous changes in event intensity , 2002 .

[13]  Aiko Pras,et al.  Autonomic Parameter Tuning of Anomaly-Based IDSs: an SSH Case Study , 2012, IEEE Transactions on Network and Service Management.