Anglia Ruskin Research Online (ARRO)
Browse

Practical Experiences of Building an IPFIX Based Open Source Botnet Detector

Download (636.83 kB)
journal contribution
posted on 2023-07-26, 14:29 authored by Mark Graham, Adrian Winckles, Erika Sanchez
The academic study of flow-based malware detection has primarily focused on NetFlow v5 and v9. In 2013 IPFIX was ratified as the flow export standard. As part of a larger project to develop protection methods for Cloud Service Providers from botnet threats, this paper considers the challenges involved in designing an open source IPFIX based botnet detection function. This paper describes how these challenges were overcome and presents an open source system built upon Xen hypervisor and Open vSwitch that is able to display botnet traffic within Cloud Service Provider-style virtualised environments. The system utilises Euler property graphs to display suspect “botnests”. The conceptual framework presented provides a vendor-neutral, real-time detection mechanism for monitoring botnet communication traffic within cloud architectures and the Internet of Things.

History

Refereed

  • Yes

Volume

1

Issue number

1

Page range

21-28

Publication title

Journal on Cybercrime and Digital Investigations

ISSN

2494-2715

Publisher

CECyF

File version

  • Published version

Language

  • eng

Legacy posted date

2018-11-28

Legacy creation date

2018-11-28

Legacy Faculty/School/Department

ARCHIVED Faculty of Science & Technology (until September 2018)

Usage metrics

    ARU Outputs

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC