Practical Experiences of Building an IPFIX Based Open Source Botnet Detector

Graham, Mark and Winckles, Adrian and Sanchez, Erika (2016) Practical Experiences of Building an IPFIX Based Open Source Botnet Detector. The Journal on Cybercrime and Digital Investigations, 1 (1). pp. 21-28. ISSN 2494-2715

[img]
Preview
Text
Published Version
Available under the following license: Creative Commons Attribution Non-commercial No Derivatives.

Download (652kB) | Preview
Official URL: https://doi.org/10.18464/cybin.v1i1.7

Abstract

The academic study of flow-based malware detection has primarily focused on NetFlow v5 and v9. In 2013 IPFIX was ratified as the flow export standard. As part of a larger project to develop protection methods for Cloud Service Providers from botnet threats, this paper considers the challenges involved in designing an open source IPFIX based botnet detection function. This paper describes how these challenges were overcome and presents an open source system built upon Xen hypervisor and Open vSwitch that is able to display botnet traffic within Cloud Service Provider-style virtualised environments. The system utilises Euler property graphs to display suspect “botnests”. The conceptual framework presented provides a vendor-neutral, real-time detection mechanism for monitoring botnet communication traffic within cloud architectures and the Internet of Things.

Item Type: Journal Article
Keywords: IPFIX, Cloud Detection System, Botnets, Property Graphs
Faculty: Faculty of Science & Technology
Depositing User: Lisa Blanshard
Date Deposited: 28 Nov 2018 14:50
Last Modified: 28 Nov 2018 14:50
URI: http://arro.anglia.ac.uk/id/eprint/703881

Actions (login required)

Edit Item Edit Item