A botnet needle in a virtual haystack

Graham, Mark (2017) A botnet needle in a virtual haystack. Doctoral thesis, Anglia Ruskin University.

Accepted Version
Available under the following license: Creative Commons Attribution Non-commercial No Derivatives.

Download (5MB) | Preview


The Cloud Security Alliance’s 2015 Cloud Adoption Practices and Priorities Survey reports that 73% of global IT professionals cite security as the top challenge holding back cloud services adoption. Malware with the capabilities to jump between the abstracted virtual infrastructures found within cloud service provider networks heightens the threat from botnet attack upon a cloud infrastructure. This research project aimed to provide a novel methodological approach for capturing communication traffic between botnets. The originality of this study comes from the application of standards-based IPFIX flow export protocol as a traffic capture mechanism. The first contribution to knowledge is a critical investigation into how IPFIX export overcomes the limitations of traditional NetFlow-based botnet communication traffic capture in cloud provider networks. The second contribution is the BotProbe IPFIX template, comprising eleven IANA IPFIX information elements. Field occupancy count and Spearman’s Rank correlation on 25 million botnet flows created an IPFIX template tailored specifically for botnet traffic capture. The third contribution is BotStack, a modular, non-intrusive IPFIX monitoring framework, created upon Xen hypervisor and virtual switched platforms, to incorporate IPFIX export into existing cloud stacks. The fourth contribution is compelling empirical evidence from weighted-factor observation across multiple network vantage points, that siting IPFIX exporters on the host hypervisor provides maximum traffic visibility. BotProbe performs on average 26.73%±0.03% quicker than traditional NetFlow v5, with 14.06%±0.01% less storage requirements. BotProbe can be extended with additional application layer attributes, for use in less privacy sensitive environments. Both novel IPFIX templates were tested on the BotStack framework, capturing four distinct traffic profiles in the life cycle of a Zeus botnet. The techniques developed in this research can be repurposed to create IPFIX traffic capture templates for most Cybersecurity threats, including DDoS and spam, turning behavioural-based traffic capture from a big data challenge into a manageable data solution.

Item Type: Thesis (Doctoral)
Keywords: security, computer malware, IPFIX detection, NetFlow, BotProbe
Faculty: Theses from Anglia Ruskin University
Depositing User: Melissa Campey
Date Deposited: 08 Feb 2018 09:44
Last Modified: 09 Sep 2021 18:59
URI: https://arro.anglia.ac.uk/id/eprint/702723

Actions (login required)

Edit Item Edit Item