Anglia Ruskin Research Online (ARRO)
Browse
Botnet Detection in Virtual Environments using NetFlow.pdf (531.63 kB)

Botnet Detection in Virtual Environments Using NetFlow

Download (531.63 kB)
conference contribution
posted on 2023-07-26, 13:37 authored by Mark Graham, Adrian Winckles, Andrew Moore
For both enterprises and service providers, the exponential growth of cloud and virtual infrastructures brings vast performance and financial benefits but this growth has undoubtedly introduced unforeseen problems in terms of new opportunities for malware and cybercrime to flourish. Botnets could be created entirely within the cloud using virtual resources, for a myriad of purposes including DDoS-as-a-Service. This study has sought to determine whether distributed packet capture utilising mirroring technology or some form of sampling mechanism provides better performance for detecting cybercrime style activities within virtual environments. Recommendations are for a distributed monitoring technique which can provide end-to-end monitoring capabilities while minimising the performance impact on popular adoptions of cloud or virtual infrastructures. Investigations have concentrated on distributed monitoring techniques utilising virtual network switches, looking for a proof of concept demonstrator where sample Command & Control and Peer-to-Peer botnet activities can be detected utilising flow capture technologies such as NetFlow, sFlow or IPFIX. This paper demonstrates how by inserting a monitoring function into a virtual or cloud architecture the capture and analysis of traffic parameters using NetFlow can be used to identify the presence of an HTTP-based Command & Control botnet.

History

Publisher

Canterbury Christ Church University

Place of publication

Canterbury, UK

ISBN

97801909067158

Conference proceeding

CFET 2014 - 7th International Conference on Cybercrime Forensics Education & Training: Conference Programme & Abstracts

Name of event

7th International Conference on Cybercrime Forensics Education and Training (CFET 2014)

Location

Canterbury, UK

Event start date

2014-07-10

Event finish date

2014-07-11

File version

  • Published version

Language

  • eng

Legacy posted date

2015-06-22

Legacy creation date

2019-05-22

Legacy Faculty/School/Department

ARCHIVED Faculty of Science & Technology (until September 2018)

Usage metrics

    ARU Outputs

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC