Practical Experiences of Building an IPFIX Based Open Source Botnet Detector

Graham, Mark and Winckles, Adrian and Sanchez, Erika (2016) Practical Experiences of Building an IPFIX Based Open Source Botnet Detector. The Journal on Cybercrime and Digital Investigations, 1 (1). pp. 21-28. ISSN 2494-2715

Published Version
Available under the following license: Creative Commons Attribution.

Download (652kB) | Preview
Official URL:


The academic study of flow-based malware detection has primarily focused on NetFlow v5 and v9. In 2013 IPFIX was ratified as the flow export standard. As part of a larger project to develop protection methods for Cloud Service Providers from botnet threats, this paper considers the challenges involved in designing an open source IPFIX based botnet detection function. This paper describes how these challenges were overcome and presents an open source system built upon Xen hypervisor and Open vSwitch that is able to display botnet traffic within Cloud Service Provider-style virtualised environments. The system utilises Euler property graphs to display suspect “botnests”. The conceptual framework presented provides a vendor-neutral, real-time detection mechanism for monitoring botnet communication traffic within cloud architectures and the Internet of Things.

Item Type: Journal Article
Keywords: IPFIX, Cloud Detection System, Botnets, Property Graphs
Faculty: ARCHIVED Faculty of Science & Technology (until September 2018)
Depositing User: Lisa Blanshard
Date Deposited: 28 Nov 2018 14:50
Last Modified: 09 Sep 2021 19:00

Actions (login required)

Edit Item Edit Item