Use of NetFlow/IPFIX Botnet Detection Tools to Determine Placement for Autonomous VMs

This paper describes a novel method of autonomously detecting malicious Botnet behaviour within a Cloud datacentre, while at the same time managing Virtual Machine (VM) placement in accordance to its findings, and it presents its implementation with the Scala programming language. A key feature of this method, using output from NetFlow/IPFIX, both of which are capable of producing detailed network traffic logs, is its capability of detecting unusual Client behaviour through the analysis of individual data packet information. It has been implemented as a module of an Autonomous Management Distributed System (AMDS) presented in [Dinita, R. I. et al., 2013], giving it direct access to all the VMs and Hypervisors on the Cloud network. Another key feature is that it can have an immediate and effective impact on network security in a Botnet attack context by issuing lockout commands to every networked VM through the AMDS. It possesses the ability to intelligently control VMWare vSphere local instances based on analysis of collected data and predefined parameters. vSphere in turn, once it receives commands from the AMDS, proceeds to issue instructions to multiple locally monitored ESXi severs in order to ensure continuous security. A proof of concept has been developed and is currently running successfully on the authors’ test bed.