Practical Experiences of Building an IPFIX Based Open Source Botnet Detector

Mark Graham; Adrian Winckles; Erika Sanchez-Velazquez

doi:10.18464/cybin.v1i1.7

Le Journal de la Cybercriminalité & des Investigations Numériques (Mar 2016)

Practical Experiences of Building an IPFIX Based Open Source Botnet Detector

Mark Graham,
Adrian Winckles,
Erika Sanchez-Velazquez

Affiliations

Mark Graham: Anglia Ruskin University
Adrian Winckles: Anglia Ruskin University
Erika Sanchez-Velazquez: Anglia Ruskin University

DOI: https://doi.org/10.18464/cybin.v1i1.7
Journal volume & issue: Vol. 1, no. 1
pp. 21 – 28

Abstract

Read online

The academic study of flow-based malware detection has primarily focused on NetFlow v5 and v9. In 2013 IPFIX was ratified as the flow export standard. As part of a larger project to develop protection methods for Cloud Service Providers from botnet threats, this paper considers the challenges involved in designing an open source IPFIX based botnet detection function. This paper describes how these challenges were overcome and presents an open source system built upon Xen hypervisor and Open vSwitch that is able to display botnet traffic within Cloud Service Provider-style virtualised environments. The system utilises Euler property graphs to display suspect “botnests”. The conceptual framework presented provides a vendor-neutral, real-time detection mechanism for monitoring botnet communication traffic within cloud architectures and the Internet of Things.

Published in Le Journal de la Cybercriminalité & des Investigations Numériques

ISSN: 2494-2715 (Online)
Publisher: Centre Expert contre la Cybercriminalité Français (CECyF)
Country of publisher: France
LCC subjects: Law: Law in general. Comparative and uniform law. Jurisprudence: Comparative law. International uniform law: Criminal law and procedure; Science: Science (General): Cybernetics
Website: https://journal.cecyf.fr/

About the journal