Your search keyword '"NetFlow"' showing total 35 results

1. Unraveling Network-Based Pivoting Maneuvers: Empirical Insights and Challenges

Author

Husák, Martin, Yang, Shanchieh Jay, Khoury, Joseph, Klisura, Đorđe, Bou-Harb, Elias, Akan, Ozgur, Editorial Board Member, Bellavista, Paolo, Editorial Board Member, Cao, Jiannong, Editorial Board Member, Coulson, Geoffrey, Editorial Board Member, Dressler, Falko, Editorial Board Member, Ferrari, Domenico, Editorial Board Member, Gerla, Mario, Editorial Board Member, Kobayashi, Hisashi, Editorial Board Member, Palazzo, Sergio, Editorial Board Member, Sahni, Sartaj, Editorial Board Member, Shen, Xuemin, Editorial Board Member, Stan, Mircea, Editorial Board Member, Jia, Xiaohua, Editorial Board Member, Zomaya, Albert Y., Editorial Board Member, Goel, Sanjay, editor, and Nunes de Souza, Paulo Roberto, editor

Published

2024

2. A data infrastructure for heterogeneous telemetry adaptation: application to Netflow-based cryptojacking detection.

Author

Moreno-Sancho, Alejandro A., Pastor, Antonio, Martinez-Casanueva, Ignacio D., González-Sánchez, Daniel, and Triana, Luis Bellido

Abstract

The increasing development of cryptocurrencies has brought cryptojacking as a new security threat in which attackers steal computing resources for cryptomining. The digitization of the supply chain is a potential major target for cryptojacking due to the large number of different infrastructures involved. These different infrastructures provide information sources that can be useful to detect cryptojacking, but with a wide variety of data formats and encodings. This paper describes the semantic data aggregator (SDA), a normalization and aggregation system based on data modelling and low-latency processing of data streams that facilitates the integration of heterogeneous information sources. As a use case, the paper describes a cryptomining detection system (CDS) based on network traffic flows processed by a machine learning engine. The results show how the SDA is leveraged in this use case to obtain aggregated information that improves the performance of the CDS. [ABSTRACT FROM AUTHOR]

Published

2024

3. Tackling Evolving Botnet Threats: A Gradual Self-Training Neural Network Approach

Author

Ta-Chun Lo, Jyh-Biau Chang, Shao-Hsuan Lo, Bai-Jun Kao, and Ce-Kuen Shieh

Subjects

Botnet detection, NetFlow, network security, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Botnets pose a significant challenge to network security but are difficult to detect because of their dynamic and evolving nature, which limits the effectiveness of conventional supervised neural network detection methods. To address this problem, the present study proposes a novel neural network-based self-training framework for botnet detection, in which pseudo-labels are generated from unlabeled data by a trained classifier, which is iteratively refined over time using a combined dataset containing both training and pseudo-labeled data. Although not all of the generated pseudo-labels are applicable to every botnet, the self-training framework can label unseen botnets with behaviors similar to those of known botnets with high confidence. Several strategies are proposed for enhancing the robustness of the classification performance by minimizing the number of incorrect pseudo-labels, mitigating the effects of erroneous pseudo-labels on the overall performance of the network, and optimizing the proportion of unlabeled data for labeling. Experiments conducted on both synthetic datasets confirm the superiority of the proposed method over the base model, particularly when the training data constitutes only a small portion of the total amount dataset. Subsequent experiments also demonstrate the efficacy of the framework in successfully detecting unseen botnet variants and its commendable performance in real-world campus network traffic.

Published

2024

4. NTFA: Network Flow Aggregator

Author

Karim, Kayvan, Ragab Hassen, Hani, Batatia, Hadj, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Zantout, Hind, editor, and Ragab Hassen, Hani, editor

Published

2023

5. Impact of the Keep-Alive Parameter on SQL Injection Attack Detection in Network Flow Data

Author

Crespo-Martínez, Ignacio Samuel, Campazas-Vega, Adrián, Guerrero-Higueras, Ángel Manuel, Álvarez-Aparicio, Claudia, Fernández-Llamas, Camino, Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, García Bringas, Pablo, editor, Pérez García, Hilde, editor, Martínez de Pisón, Francisco Javier, editor, Martínez Álvarez, Francisco, editor, Troncoso Lora, Alicia, editor, Herrero, Álvaro, editor, Calvo Rolle, José Luis, editor, Quintián, Héctor, editor, and Corchado, Emilio, editor

Published

2023

6. Methods and High-performance Tools for Collecting, Analysis and Visualization of Data Exchange with a Focus on Research and Education Telecommunications Networks.

Author

Abramov, A. G., Porkhachev, V. A., and Yastrebov, Yu. V.

Abstract

The paper is focuses on the methods that have come into practice, key functions and software instruments for collecting, analysis and visualization of network traffic statistics. The source of information is NetFlow telemetry data collected from network equipment. In addition to being used by network engineers and technicians, including for the purposes of network monitoring, incident handling, identification of network congestion and the main bandwidth utilizers with details on autonomous systems or IP addresses of sources and recipients, protocols, services and applications, NetFlow data is of interest in the context of monitoring and analysis of network interaction between users, service providers and consumers. The paper provides a detailed description of the developed and implemented on the basis of the new generation National Research Computer Network of Russia of the up-to-date and high-performance software solution for working with network telemetry data; specific examples of the capabilities are given in order to advanced analytics and descriptive data visualization in real time, taking into account the special needs of industry telecommunications networks in the field of research and education. [ABSTRACT FROM AUTHOR]

Published

2023

7. Network Traffic Classification Based On A Deep Learning Approach Using NetFlow Data.

Author

Long, Zhang and Jinsong, Wang

Subjects

*DEEP learning, *MACHINE learning, *QUALITY of service

Abstract

Network traffic classification is of fundamental importance to a wide range of network activities, such as security monitoring, accounting, quality of service and forecasting for long-term provisioning purposes. This task has been increasingly implemented using machine learning methods due to the inability of conventional approaches to accommodate the increasing use of encryption. However, the application of machine learning methods to network traffic classification based on sampled NetFlow data is poorly developed despite the fact that NetFlow is a widely extended monitoring solution routinely employed by network operators. This study addresses this issue by proposing a network traffic classification module using NetFlow data in conjunction with a deep neural network. The performance of the proposed classification module is demonstrated by its application to two real-world datasets, and an average classification accuracy of 95% is obtained for |$\sim $| 1.4 million test cases. Moreover, the performance of the proposed classifier is demonstrated to be superior to three other state-of-the-art classifiers. Accordingly, the proposed module represents a promising alternative for network traffic classification. [ABSTRACT FROM AUTHOR]

Published

2023

8. An approach to application-layer DoS detection

Author

Cliff Kemp, Chad Calvert, Taghi M. Khoshgoftaar, and Joffrey L. Leevy

Subjects

Application-layer DoS attack, Machine learning, HTTP GET, HTTP POST, Slow read DoS, Netflow, Computer engineering. Computer hardware, TK7885-7895, Information technology, T58.5-58.64, Electronic computers. Computer science, QA75.5-76.95

Abstract

Abstract With the massive resources and strategies accessible to attackers, countering Denial of Service (DoS) attacks is getting increasingly difficult. One of these techniques is application-layer DoS. Due to these challenges, network security has become increasingly more challenging to ensure. Hypertext Transfer Protocol (HTTP), Domain Name Service (DNS), Simple Mail Transfer Protocol (SMTP), and other application protocols have had increased attacks over the past several years. It is common for application-layer attacks to concentrate on these protocols because attackers can exploit some weaknesses. Flood and “low and slow” attacks are examples of application-layer attacks. They target weaknesses in HTTP, the most extensively used application-layer protocol on the Internet. Our experiment proposes a generalized detection approach to identify features for application-layer DoS attacks that is not specific to a single slow DoS attack. We combine four application-layer DoS attack datasets: Slow Read, HTTP POST, Slowloris, and Apache Range Header. We perform a feature-scaling technique that applies a normalization filter to the combined dataset. We perform a feature extraction technique, Principal Component Analysis (PCA), on the combined dataset to reduce dimensionality. We examine ways to enhance machine learning techniques for detecting slow application-layer DoS attacks that employ these methodologies. The machine learners effectively identify multiple slow DoS attacks, according to our findings. The experiment shows that classifiers are good predictors when combined with our selected Netflow characteristics and feature selection techniques.

Published

2023

9. A Quantitative Logarithmic Transformation-Based Intrusion Detection System

Author

Blue Lan, Ta-Chun Lo, Rico Wei, Heng-Yu Tang, and Ce-Kuen Shieh

Subjects

NIDS, NetFlow, network security, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Intrusion detection systems (IDS) play a vital role in protecting networks from malicious attacks. Modern IDS use machine-learning or deep-learning models to deal with the diversity of attacks that malicious users may employ. However, effective machine-learning methods incur a considerable cost in both the pretraining stage and the online detection process itself. Accordingly, this study proposes a quantitative logarithmic transformation-based intrusion detection system (QLT-IDS) that uses a straightforward statistical approach to analyze network behavior. Compared with machine-learning or deep-learning-based IDS methods, the proposed system requires neither a time-consuming and expensive data collection and training process, nor a GPU-included device to achieve a real-time detection performance. Furthermore, the system can deal not only with North-South attacks, but also East-West attacks, which pose a significant risk in real-world operations. The effectiveness of the proposed system is evaluated for both real-world campus network traffic and simulated traffic. The results confirm that QLT-IDS is able to detect a wide range of malicious attacks with a high precision, even under high down-sampling rate of the NetFlow records.

Published

2023

10. A Survey of Network Features for Machine Learning Algorithms to Detect Network Attacks

Author

Rubab, Joveria, Afzal, Hammad, Shahid, Waleed Bin, Goos, Gerhard, Founding Editor, Hartmanis, Juris, Founding Editor, Bertino, Elisa, Editorial Board Member, Gao, Wen, Editorial Board Member, Steffen, Bernhard, Editorial Board Member, Yung, Moti, Editorial Board Member, Nguyen, Ngoc Thanh, editor, Tran, Tien Khoa, editor, Tukayev, Ualsher, editor, Hong, Tzung-Pei, editor, Trawiński, Bogdan, editor, and Szczerbicki, Edward, editor

Published

2022

11. Machine Learning Based Network Intrusion Detection System for Internet of Things Cybersecurity

Author

Molcer, Piroska Stanić, Pejić, Aleksandar, Gulači, Kristian, Szalma, Réka, Kovács, Tünde Anna, editor, Nyikes, Zoltán, editor, and Fürstner, Igor, editor

Published

2022

12. A Study on the Use of 3rd Party DNS Resolvers for Malware Filtering or Censorship Circumvention

Author

Fejrskov, Martin, Vasilomanolakis, Emmanouil, Pedersen, Jens Myrup, Rannenberg, Kai, Editor-in-Chief, Soares Barbosa, Luís, Editorial Board Member, Goedicke, Michael, Editorial Board Member, Tatnall, Arthur, Editorial Board Member, Neuhold, Erich J., Editorial Board Member, Stiller, Burkhard, Editorial Board Member, Tröltzsch, Fredi, Editorial Board Member, Pries-Heje, Jan, Editorial Board Member, Kreps, David, Editorial Board Member, Reis, Ricardo, Editorial Board Member, Furnell, Steven, Editorial Board Member, Mercier-Laurent, Eunika, Editorial Board Member, Winckler, Marco, Editorial Board Member, Malaka, Rainer, Editorial Board Member, Meng, Weizhi, editor, Fischer-Hübner, Simone, editor, and Jensen, Christian D., editor

Published

2022

13. Advantages of Machine Learning in Networking-Monitoring Systems to Size Network Appliances and Identify Incongruences in Data Networks

Author

Bustamante, Anthony J., Ghimire, Niskarsha, Sanghavi, Preet R., Pokharel, Arpit, Irekponor, Victor E., Kacprzyk, Janusz, Series Editor, Gomide, Fernando, Advisory Editor, Kaynak, Okyay, Advisory Editor, Liu, Derong, Advisory Editor, Pedrycz, Witold, Advisory Editor, Polycarpou, Marios M., Advisory Editor, Rudas, Imre J., Advisory Editor, Wang, Jun, Advisory Editor, Botto-Tobar, Miguel, editor, S. Gómez, Omar, editor, Rosero Miranda, Raul, editor, Díaz Cadena, Angela, editor, Montes León, Sergio, editor, and Luna-Encalada, Washington, editor

Published

2022

14. Analysis of TCP flood attack using NetFlow

Author

Vsevolod Kapustin and Nerijus Paulauskas

Subjects

NetFlow, tcpdump, TCP, packet, firewall, traffic, Technology, Science

Abstract

Traffic analysis is a common question for most of the production systems in various segments of computer networks. Attacks, configuration mistakes, and other factors can cause network increased accessibility and as a result danger for data privacy. Analyzing network flow and their single packets can be helpful for anomalies detection. Well-known network equipment has predeveloped network flow monitoring software. “NetFlow” data collector software “Nfsen” is an open-source way to collect information from agents. Also “Nfsen” is designed for data sorting and dataset for instruction detection system preparation. Prepared data can be split into fragments for artificial intelligent learning and testing. As AI unit can be used multilayer perceptron developed in a python programming language. This paper focused on real-world traffic dataset collection and multilayer perceptron deployment for TCP flood traffic detection. Article in English. Perteklinių TCP sesijų sudarymo atakų analizavimas naudojant „NetFlow“ Santrauka Srauto analizė – vienas pagrindinių įrankių anomalijoms kompiuteriniame tinkle aptikti. Atakos, konfigūracijos klaidos gali padėti lengviau pasiekti kompiuterinį tinklą ir galiausiai padidinti duomenų saugumo pavojų. Duomenų perdavimo tinklo srauto ir pavienių paketų analizė gali būti naudojama anomalijoms aptikti. Daugelis įrangos gamintojų įdiegia į savo įrangą srauto stebėjimo įrankius. „NetFlow“ protokolu perduodamu srautų duomenų kolektorius „Nfsen“ yra atvirojo kodo programinė įranga, padedanti surinkti informaciją iš agentų. Taip pat „Nfsen“ yra suprojektuota duomenų rinkinio įsibrovimo aptikimo sistemoms paruošti. Paruoštas duomenų rinkinys gali būti padalytas siekiant apmokyti ir testuoti dirbtinio intelekto modelį. Intelektinės sistemos srautui klasifikuoti gali būti naudojamas daugiasluoksnis perceptronas. Šiame darbe siekiama išanalizuoti, kaip interneto tiekėjo tinkle aptikti TCP perteklinį srautą ir jį klasifikuoti. Reikšminiai žodžiai: „NetFlow“, tcpdump, TCP, paketas, ugniasienė, srautas, GRE, ataka.

Published

2023

15. Cyber Threat Intelligence Sharing Scheme Based on Federated Learning for Network Intrusion Detection.

Author

Sarhan, Mohanad, Layeghy, Siamak, Moustafa, Nour, and Portmann, Marius

Abstract

The uses of machine learning (ML) technologies in the detection of network attacks have been proven to be effective when designed and evaluated using data samples originating from the same organisational network. However, it has been very challenging to design an ML-based detection system using heterogeneous network data samples originating from different sources and organisations. This is mainly due to privacy concerns and the lack of a universal format of datasets. In this paper, we propose a collaborative cyber threat intelligence sharing scheme to allow multiple organisations to join forces in the design, training, and evaluation of a robust ML-based network intrusion detection system. The threat intelligence sharing scheme utilises two critical aspects for its application; the availability of network data traffic in a common format to allow for the extraction of meaningful patterns across data sources and the adoption of a federated learning mechanism to avoid the necessity of sharing sensitive users’ information between organisations. As a result, each organisation benefits from the intelligence of other organisations while maintaining the privacy of its data internally. In this paper, the framework has been designed and evaluated using two key datasets in a NetFlow format known as NF-UNSW-NB15-v2 and NF-BoT-IoT-v2. In addition, two other common scenarios are considered in the evaluation process; a centralised training method where local data samples are directly shared with other organisations and a localised training method where no threat intelligence is shared. The results demonstrate the efficiency and effectiveness of the proposed framework by designing a universal ML model effectively classifying various benign and intrusive traffic types originating from multiple organisations without the need for inter-organisational data exchange. [ABSTRACT FROM AUTHOR]

Published

2023

16. An approach to application-layer DoS detection.

Author

Kemp, Cliff, Calvert, Chad, Khoshgoftaar, Taghi M., and Leevy, Joffrey L.

Subjects

HTTP (Computer network protocol), DENIAL of service attacks, INTERNET domain naming system, FEATURE selection, PRINCIPAL components analysis, COMPUTER network security, INTERNET protocols

Abstract

With the massive resources and strategies accessible to attackers, countering Denial of Service (DoS) attacks is getting increasingly difficult. One of these techniques is application-layer DoS. Due to these challenges, network security has become increasingly more challenging to ensure. Hypertext Transfer Protocol (HTTP), Domain Name Service (DNS), Simple Mail Transfer Protocol (SMTP), and other application protocols have had increased attacks over the past several years. It is common for application-layer attacks to concentrate on these protocols because attackers can exploit some weaknesses. Flood and "low and slow" attacks are examples of application-layer attacks. They target weaknesses in HTTP, the most extensively used application-layer protocol on the Internet. Our experiment proposes a generalized detection approach to identify features for application-layer DoS attacks that is not specific to a single slow DoS attack. We combine four application-layer DoS attack datasets: Slow Read, HTTP POST, Slowloris, and Apache Range Header. We perform a feature-scaling technique that applies a normalization filter to the combined dataset. We perform a feature extraction technique, Principal Component Analysis (PCA), on the combined dataset to reduce dimensionality. We examine ways to enhance machine learning techniques for detecting slow application-layer DoS attacks that employ these methodologies. The machine learners effectively identify multiple slow DoS attacks, according to our findings. The experiment shows that classifiers are good predictors when combined with our selected Netflow characteristics and feature selection techniques. [ABSTRACT FROM AUTHOR]

Published

2023

17. ANALYSIS OF TCP FLOOD ATTACK USING NETFLOW.

Author

KAPUSTIN, Vsevolod and PAULAUSKAS, Nerijus

Subjects

*DENIAL of service attacks, *DATA privacy, *TRAFFIC monitoring, *COMPUTER networks, *COMPUTER networking equipment, *PYTHON programming language

Abstract

Traffic analysis is a common question for most of the production systems in various segments of computer networks. Attacks, configuration mistakes, and other factors can cause network increased accessibility and as a result danger for data privacy. Analyzing network flow and their single packets can be helpful for anomalies detection. Well-known network equipment has predeveloped network flow monitoring software. "NetFlow" data collector software "Nfsen" is an open-source way to collect information from agents. Also "Nfsen" is designed for data sorting and dataset for instruction detection system preparation. Prepared data can be split into fragments for artificial intelligent learning and testing. As AI unit can be used multilayer perceptron developed in a python programming language. This paper focused on real-world traffic dataset collection and multilayer perceptron deployment for TCP flood traffic detection. [ABSTRACT FROM AUTHOR]

Published

2023

18. Tensor-Based Online Network Anomaly Detection and Diagnosis

Author

Mehdi Shajari, Hongxiang Geng, Kaixuan Hu, and Alberto Leon-Garcia

Subjects

Anomaly detection, anomaly diagnosis, convolutional neural network, autoencoder, NetFlow, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

This paper presents an online anomaly detection system capable of handling operational network traffic of large networks (such as an ISP). We also aim for an effective and practical diagnosis of anomalies diagnosis to produce actionable intelligence that enables automated response. To achieve these objectives, we use the following approaches. (1) We model the status of the network by a stream of tensors where each tensor cell contains a time series. (2) We detect anomalous tensors at discrete time steps using an unsupervised tensor representation learning model. (3) We produce actionable intelligence by diagnosing anomaly detection results and identifying the abnormal time series that are the most likely causes of each anomaly in the tensor. (4) We further analyze the traffic corresponding to each anomalous time series by an innovative method that extracts and isolates the attack traffic. (5) We provide solutions for streaming data anomaly detection challenges such as large volume, high velocity, seasonality, and concept drift. We apply our approach to the complete test set of UGR data to show its practicality and effectiveness. Not only can we detect and isolate most of the labelled attack traffic, but we also identify many organic attack activities in the UGR data. Our results on the complete UGR dataset show high detection and isolation rates for the labelled attacks in the dataset. We also report on additional organic attacks we detected that were originally labelled as background in the dataset. Our analysis shows that the isolated background traffic represents interesting and potentially malicious behavior and can provide invaluable insight for cyber-threat researchers.

Published

2022

19. Detection of illicit cryptomining using network metadata

Author

Michele Russo, Nedim Šrndić, and Pavel Laskov

Subjects

Detection, Malware, Cryptomining, Monero, NetFlow, Machine learning, Computer engineering. Computer hardware, TK7885-7895, Electronic computers. Computer science, QA75.5-76.95

Abstract

Abstract Illicit cryptocurrency mining has become one of the prevalent methods for monetization of computer security incidents. In this attack, victims’ computing resources are abused to mine cryptocurrency for the benefit of attackers. The most popular illicitly mined digital coin is Monero as it provides strong anonymity and is efficiently mined on CPUs.Illicit mining crucially relies on communication between compromised systems and remote mining pools using the de facto standard protocol Stratum. While prior research primarily focused on endpoint-based detection of in-browser mining, in this paper, we address network-based detection of cryptomining malware in general. We propose XMR-Ray, a machine learning detector using novel features based on reconstructing the Stratum protocol from raw NetFlow records. Our detector is trained offline using only mining traffic and does not require privacy-sensitive normal network traffic, which facilitates its adoption and integration.In our experiments, XMR-Ray attained 98.94% detection rate at 0.05% false alarm rate, outperforming the closest competitor. Our evaluation furthermore demonstrates that it reliably detects previously unseen mining pools, is robust against common obfuscation techniques such as encryption and proxies, and is applicable to mining in the browser or by compiled binaries. Finally, by deploying our detector in a large university network, we show its effectiveness in protecting real-world systems.

Published

2021

20. A Machine Learning-based Real-time Monitoring System for Classification of Elephant Flows on KOREN.

Author

Akbar, Waleed, Rivera, Javier J. D., Ahmed, Khan T., Muhammad, Afaq, and Wang-Cheol Song

Subjects

SOFTWARE-defined networking, ELEPHANTS, RANDOM forest algorithms, MACHINE learning, CLASSIFICATION

Abstract

With the advent and realization of Software Defined Network (SDN) architecture, many organizations are now shifting towards this paradigm. SDN brings more control, higher scalability, and serene elasticity. The SDN spontaneously changes the network configuration according to the dynamic network requirements inside the constrained environments. Therefore, a monitoring system that can monitor the physical and virtual entities is needed to operate this type of network technology with high efficiency and proficiency. In this manuscript, we propose a real-time monitoring system for data collection and visualization that includes the Prometheus, node exporter, and Grafana. A node exporter is configured on the physical devices to collect the physical and virtual entities resources utilization logs. A real-time Prometheus database is configured to collect and store the data from all the exporters. Furthermore, the Grafana is affixed with Prometheus to visualize the current network status and device provisioning. A monitoring system is deployed on the physical infrastructure of the KOREN topology. Data collected by the monitoring system is further pre-processed and restructured into a dataset. A monitoring system is further enhanced by including machine learning techniques applied on the formatted datasets to identify the elephant flows. Additionally, a Random Forest is trained on our generated labeled datasets, and the classification models' performance are verified using accuracy metrics. [ABSTRACT FROM AUTHOR]

Published

2022

21. SQL injection attack: Detection, prioritization & prevention.

Author

Paul, Alan, Sharma, Vishal, and Olukoya, Oluwafemi

Subjects

*WEB-based user interfaces, *DIGITAL technology, *ROCKET payloads, *ALGORITHMS, *ALGEBRA

Abstract

Web applications have become central in the digital landscape, providing users instant access to information and allowing businesses to expand their reach. Injection attacks, such as SQL injection (SQLi), are prominent attacks on web applications, given that most web applications integrate a database system. While there have been solutions proposed in the literature for SQLi attack detection using learning-based frameworks, the problem is often formulated as a binary, single-attack vector problem without considering the prioritization and prevention component of the attack. In this work, we propose a holistic solution, SQLR34P3R, that formulates the SQLi attack as a multi-class, multi-attack vector, prioritization, and prevention problem. For attack detection and classification, we gathered 457,233 samples of benign and malicious network traffic, as well as 70,023 samples that had SQLi and benign payloads. After evaluating several machine-learning-based algorithms, the hybrid CNN-LSTM models achieve an average F1-Score of 97% in web and network traffic filtering. Furthermore, by using CVEs of SQLi vulnerabilities, SQLR34P3R incorporates a novel risk analysis approach which reduces additional effort while maintaining reasonable coverage to assist businesses in allocating resources effectively by focusing on patching vulnerabilities with high exploitability. We also present an in-the-wild evaluation of the proposed solution by integrating SQLR34P3R into the pipeline of known vulnerable web applications such as Damn Vulnerable Web Application (DVWA) and Vulnado and via network traffic captured using Wireshark from SQLi DNS exfiltration conducted with SQLMap for real-time detection. Finally, we provide a comparative analysis with state-of-the-art SQLi attack detection and risk ratings solutions. [ABSTRACT FROM AUTHOR]

Published

2024

22. Towards a Standard Feature Set for Network Intrusion Detection System Datasets.

Author

Sarhan, Mohanad, Layeghy, Siamak, and Portmann, Marius

Subjects

*INTRUSION detection systems (Computer security), *CYBERTERRORISM, *COMPUTER networks, *MACHINE learning, *SCIENTIFIC community, *CITY traffic, *METADATA

Abstract

Network Intrusion Detection Systems (NIDSs) are important tools for the protection of computer networks against increasingly frequent and sophisticated cyber attacks. Recently, a lot of research effort has been dedicated to the development of Machine Learning (ML) based NIDSs. As in any ML-based application, the availability of high-quality datasets is critical for the training and evaluation of ML-based NIDS. One of the key problems with the currently available NIDS datasets is the lack of a standard feature set. The use of a unique and proprietary set of features for each of the publicly available datasets makes it virtually impossible to compare the performance of ML-based traffic classifiers on different datasets, and hence to evaluate the ability of these systems to generalise across different network scenarios. To address that limitation, this paper proposes and evaluates standard NIDS feature sets based on the NetFlow network meta-data collection protocol and system. We evaluate and compare two NetFlow-based feature set variants, a version with 12 features, and another one with 43 features. For our evaluation, we converted four widely used NIDS datasets (UNSW-NB15, BoT-IoT, ToN-IoT, CSE-CIC-IDS2018) into new variants with our proposed NetFlow based feature sets. Based on an Extra Tree classifier, we compared the classification performance of the NetFlow-based feature sets with the proprietary feature sets provided with the original datasets. While the smaller feature set cannot match the classification performance of the proprietary feature sets, the larger set with 43 NetFlow features, surprisingly achieves a consistently higher classification performance compared to the original feature set, which was tailored to each of the considered NIDS datasets. The proposed NetFlow-based NIDS feature set, together with four benchmark datasets, made available to the research community, allow a fair comparison of ML-based network traffic classifiers across different NIDS datasets. We believe that having a standard feature set is critical for allowing a more rigorous and thorough evaluation of ML-based NIDSs and that it can help bridge the gap between academic research and the practical deployment of such systems. [ABSTRACT FROM AUTHOR]

Published

2022

23. Detection of illicit cryptomining using network metadata.

Author

Russo, Michele, Šrndić, Nedim, and Laskov, Pavel

Subjects

METADATA, DIGITAL currency, COMPUTER security, CRYPTOCURRENCY mining, SENSOR networks, CRYPTOCURRENCIES, MACHINE learning, CRYPTOSYSTEMS

Abstract

Illicit cryptocurrency mining has become one of the prevalent methods for monetization of computer security incidents. In this attack, victims' computing resources are abused to mine cryptocurrency for the benefit of attackers. The most popular illicitly mined digital coin is Monero as it provides strong anonymity and is efficiently mined on CPUs.Illicit mining crucially relies on communication between compromised systems and remote mining pools using the de facto standard protocol Stratum. While prior research primarily focused on endpoint-based detection of in-browser mining, in this paper, we address network-based detection of cryptomining malware in general. We propose XMR-Ray, a machine learning detector using novel features based on reconstructing the Stratum protocol from raw NetFlow records. Our detector is trained offline using only mining traffic and does not require privacy-sensitive normal network traffic, which facilitates its adoption and integration.In our experiments, XMR-Ray attained 98.94% detection rate at 0.05% false alarm rate, outperforming the closest competitor. Our evaluation furthermore demonstrates that it reliably detects previously unseen mining pools, is robust against common obfuscation techniques such as encryption and proxies, and is applicable to mining in the browser or by compiled binaries. Finally, by deploying our detector in a large university network, we show its effectiveness in protecting real-world systems. [ABSTRACT FROM AUTHOR]

Published

2021

24. MACHINE LEARNING STATISTICAL DETECTION OF ANOMALIES USING NETFLOW RECORDS

Author

Bollmann, Chad A., Dinolt, George W., Electrical and Computer Engineering (ECE), Putman, Zachary W., Bollmann, Chad A., Dinolt, George W., Electrical and Computer Engineering (ECE), and Putman, Zachary W.

Abstract

NetFlow is a network protocol system that is used to represent an overall summary of computer network conversations. A NetFlow record can convert previously captured packet captures or obtain NetFlow session data in real time. This research examines the use of machine-learning techniques to identify anomalies in NetFlow records and classify malware behavior for further investigation. The intent is to identify low-cost solutions leveraging open-source software capable of deployment on computer hardware of currently in-use data networks. This work seeks to determine whether expert selection of features can improve machine-learning detection algorithm performance and evaluate the trade-offs associated with eliminating redundant or excessive numbers of features. We identify the Random Forest algorithm as the strongest single algorithm across three of four metrics, with our chosen NetFlow features cutting the testing and training times in half while incurring minor reductions in two metrics. The experiment demonstrates that the chosen NetFlow features are sufficiently discriminative to detect attacks with a success rate higher than 94%., NCWDG, Lieutenant, United States Navy, Approved for public release. Distribution is unlimited.

Published

2023

25. Rethinking Fine-Grained Measurement From Software-Defined Perspective: A Survey

Author

Hao Zheng, Yanan Jiang, Chen Tian, Long Cheng, Qun Huang, Weichao Li, Yi Wang, Qianyi Huang, Jiaqi Zheng, Rui Xia, Wanchun Dou, and Guihai Chen

Subjects

Information Systems and Management, sFlow, Computer Networks and Communications, Computer science, business.industry, Distributed computing, Data structure, Hash table, Computer Science Applications, Network management, Hardware and Architecture, Traffic engineering, NetFlow, Anomaly detection, business, Streaming algorithm

Abstract

Network measurement provides operators an efficient tool for many network management tasks such as performance diagnosis, traffic engineering and intrusion prevention. However, with the rapid and continuous growth of traffic speed, it needs more computing and memory resources to monitor traffic in per-flow or per-packet granularity. Sample-based measurement systems (e.g., NetFlow, sFlow) have been developed to perform coarse-grained measurement, but they may miss part of records, especially for mice flows, which are important for some network management tasks (e.g., anomaly detection, performance diagnosis). To address these issues, data streaming algorithms such as hash tables and sketches have been introduced to balance the trade-off among accuracy, speed, and memory usage. In this paper, we present a systematic survey of various data structures, algorithms and systems which have been proposed in recent years to perform fine-grained measurement for high-speed networks. We organize these methods and systems from a software-defined perspective. In particular, we abstract fine-grained network measurement into three-layer architecture. We introduce the responsibility of each layer and categorize existing state-of-the-art works into this architecture. Finally, we conclude the paper and discuss the future directions of fine-grained network measurement.

Published

2022

26. Efficient and Accurate Flow Record Collection With HashFlow

Author

Han Zhang, Qing Li, Zongyi Zhao, Xia Yin, Zhiliang Wang, and Xingang Shi

Subjects

Traffic analysis, Computational Theory and Mathematics, Flow (mathematics), Hardware and Architecture, Computer science, Signal Processing, Real-time computing, Hash function, NetFlow, Table (database), Throughput, Data structure, Flow measurement

Abstract

Traditional tools like NetFlow face great challenges as both the speed and the complexity of the network traffic increase. To keep the pace up, we propose HashFlow for more efficient and accurate collection of flow records. HashFlow keeps large flows in its main flow table and uses an ancillary table to summarize the other flows when the main table is full. With our flow collision resolution and flow record promotion schemes, a flow in the ancillary table is promoted back to the main flow table with a guaranteed probability when it becomes large enough. These operations can be performed highly efficiently, so HashFlow can keep up with ultra-high traffic speed. We implement HashFlow in a Tofino switch, and using traces from different operational networks, we compare its performance against some state-of-the-art flow measurement algorithms. Our experiments show that, for various types of traffic analysis applications, HashFlow consistently demonstrates clearly better performance than its competitors. For example, the performance of HashFlow in flow size estimation, flow size distribution estimation and heavy hitter detection is up to 21, 60 and 35 percent better than those of the best competitors respectively, and these merits of HashFlow come with almost no degradation of throughput.

Published

2022

27. SQL injection attack detection in network flow data

Author

Ignacio Samuel Crespo-Martínez, Adrián Campazas-Vega, Ángel Manuel Guerrero-Higueras, Virginia Riego-DelCastillo, Claudia Álvarez-Aparicio, Camino Fernández-Llamas, Ingenieria de Sistemas y Automatica, and Escuela de Ingenierias Industrial e Informatica

Subjects

Informática, Ensamble learning, General Computer Science, Machine learning, Netflow, Ingenierías, SQLIA detection, Network security, Law

Abstract

[EN] SQL injections rank in the OWASP Top 3. The literature shows that analyzing network datagrams allows for detecting or preventing such attacks. Unfortunately, such detection usually implies studying all packets flowing in a computer network. Therefore, routers in charge of routing significant traffic loads usually cannot apply the solutions proposed in the literature. This work demonstrates that detecting SQL injection attacks on flow data from lightweight protocols is possible. For this purpose, we gathered two datasets collecting flow data from several SQL injection attacks on the most popular database engines. After evaluating several machine learning-based algorithms, we get a detection rate of over 97% with a false alarm rate of less than 0.07% with a Logistic Regression-based model. SI Instituto Nacional de Ciberseguridad de España (INCIBE) Universidad de León

Published

2023

28. Quality In / Quality Out: Data quality more relevant than model choice in anomaly detection with the UGR’16

Author

Camacho Páez, José, Wasielewska, Katarzyna, Espinosa, Pablo, and Fuentes García, Raquel María

Subjects

Netflow, data quality, UGR’16, anomaly detection

Abstract

Autonomous or self-driving networks are expected to provide a solution to the myriad of extremely demanding new applications in the Future Internet. The key to handle complexity is to perform tasks like network optimization and failure recovery with minimal human supervision. For this purpose, the community relies on the development of new Machine Learning (ML) models and techniques. However, ML can only be as good as the data it is fitted with. Datasets provided to the community as benchmarks for research purposes, which have a relevant impact in research findings and directions, are often assumed to be of good quality by default. In this paper, we show that relatively minor modifications on the same benchmark dataset (UGR’16, a flow-based real-traffic dataset for anomaly detection) cause significantly more impact on model performance than the specific ML technique considered. To understand this finding, we contribute a methodology to investigate the root causes for those differences, and to assess the quality of the data labelling. Our findings illustrate the need to devote more attention into (automatic) data quality assessment and optimization techniques in the context of autonomous networks., This work was supported by the Agencia Estatal de Investigaci´on in Spain, grant No PID2020-113462RB-I00, and the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 893146.

Published

2023

29. Detection of illicit cryptomining using network metadata

Author

Pavel Laskov, Michele Russo, and Nedim Srndic

Subjects

Computer engineering. Computer hardware, Information retrieval, business.industry, Computer science, QA75.5-76.95, Malware, Computer Science Applications, Metadata, TK7885-7895, Detection, Text mining, Monero, Electronic computers. Computer science, Signal Processing, Machine learning, NetFlow, business, Cryptomining

Abstract

Illicit cryptocurrency mining has become one of the prevalent methods for monetization of computer security incidents. In this attack, victims’ computing resources are abused to mine cryptocurrency for the benefit of attackers. The most popular illicitly mined digital coin is Monero as it provides strong anonymity and is efficiently mined on CPUs.Illicit mining crucially relies on communication between compromised systems and remote mining pools using the de facto standard protocol Stratum. While prior research primarily focused on endpoint-based detection of in-browser mining, in this paper, we address network-based detection of cryptomining malware in general. We propose XMR-Ray, a machine learning detector using novel features based on reconstructing the Stratum protocol from raw NetFlow records. Our detector is trained offline using only mining traffic and does not require privacy-sensitive normal network traffic, which facilitates its adoption and integration.In our experiments, XMR-Ray attained 98.94% detection rate at 0.05% false alarm rate, outperforming the closest competitor. Our evaluation furthermore demonstrates that it reliably detects previously unseen mining pools, is robust against common obfuscation techniques such as encryption and proxies, and is applicable to mining in the browser or by compiled binaries. Finally, by deploying our detector in a large university network, we show its effectiveness in protecting real-world systems.

Published

2021

30. MACHINE LEARNING STATISTICAL DETECTION OF ANOMALIES USING NETFLOW RECORDS

Author

Putman, Zachary W., Bollmann, Chad A., Dinolt, George W., and Electrical and Computer Engineering (ECE)

Subjects

machine learning, denial of service, NetFlow, statistical detection, CRISP-DM

Abstract

NetFlow is a network protocol system that is used to represent an overall summary of computer network conversations. A NetFlow record can convert previously captured packet captures or obtain NetFlow session data in real time. This research examines the use of machine-learning techniques to identify anomalies in NetFlow records and classify malware behavior for further investigation. The intent is to identify low-cost solutions leveraging open-source software capable of deployment on computer hardware of currently in-use data networks. This work seeks to determine whether expert selection of features can improve machine-learning detection algorithm performance and evaluate the trade-offs associated with eliminating redundant or excessive numbers of features. We identify the Random Forest algorithm as the strongest single algorithm across three of four metrics, with our chosen NetFlow features cutting the testing and training times in half while incurring minor reductions in two metrics. The experiment demonstrates that the chosen NetFlow features are sufficiently discriminative to detect attacks with a success rate higher than 94%. NCWDG Lieutenant, United States Navy Approved for public release. Distribution is unlimited.

Published

2022

31. Detecting DNS hijacking by using NetFlow data

Author

Jens Myrup Pedersen, Emmanouil Vasilomanolakis, and Martin Fejrskov

Subjects

hijacking, DNS, malware, NetFlow, IPFix

Abstract

DNS hijacking represents a security threat to users because it enables bypassing existing DNS security measures. Several malware families exploit this by changing the client DNS configuration to point to a malicious DNS resolver. Following the assumption that users will never actively choose to use a resolver that is not well-known, our paper introduces the idea of detecting client-based DNS hijacking by classifying public resolvers based on whether they are well-known or not. Furthermore, we propose to use NetFlow-based features to classify a resolver as well-known or malicious. By characterizing and manually labelling the 405 resolvers seen in four weeks of NetFlow data from a national ISP, we show that classification of both well-known and malicious servers can be made with an AUROC of 0.85.

Published

2022

32. Detecting DNS hijacking by using NetFlow data

Author

Fejrskov, Martin, Pedersen, Jens Myrup, Vasilomanolakis, Emmanouil, Fejrskov, Martin, Pedersen, Jens Myrup, and Vasilomanolakis, Emmanouil

Abstract

DNS hijacking represents a security threat to users because it enables bypassing existing DNS security measures. Several malware families exploit this by changing the client DNS configuration to point to a malicious DNS resolver. Following the assumption that users will never actively choose to use a resolver that is not well-known, our paper introduces the idea of detecting client-based DNS hijacking by classifying public resolvers based on whether they are well-known or not. Furthermore, we propose to use NetFlow-based features to classify a resolver as well-known or malicious. By characterizing and manually labelling the 405 resolvers seen in four weeks of NetFlow data from a national ISP, we show that classification of both well-known and malicious servers can be made with an AUROC of 0.85.

Published

2022

33. Model-Driven Network Monitoring Using NetFlow Applied to Threat Detection

Author

Daniel González-Sánchez, Ignacio D. Martinez-Casanueva, Antonio Pastor, Luis Bellido Triana, Cristina Pinar Muñoz Zamarro, Alejandro Antonio Moreno Sancho, David Fernández Cambronero, and Diego Lopez

Subjects

network monitoring, YANG, data model, cryptomining, threat detection, NetFlow

Abstract

In recent years, several research works have proposed the analysis of network flow information using machine learning in order to detect threats or anomalous activities. In this sense, NetFlow-based systems stand out as one of the main sources of network flow information. In these systems, NetFlow collectors provide the flow monitoring information to be analyzed, but the particular information structure and format provided by different collector implementations is a recurring problem. In this paper, a new YANG data model is proposed as a standard model to use NetFlow-based monitoring data. In order to validate the proposal, a NetFlow collector incorporating the proposed NetFlow YANG model has been developed, to be integrated in a network scenario in which network flows are analyzed to detect malicious cryptomining activity. This collector extends an existing one, and provides design patterns to incorporate other existing collectors into this common data model. Our results show how, by using the YANG modeling language, network flow information can be handled and aggregated in a formal and unified way that provides flexibility and facilitates data analysis applied to threat detection.

Published

2022

34. Anomaly detection in NetFlow network traffic using supervised machine learning algorithms

Author

Fosić, Igor, Žagar, Drago, Grgić, Krešimir, and Križanović, Višnja

Subjects

supervised algorithm, machine learning, anomaly classification, NetFlow, imbalanced dataset, Information Systems and Management, Industrial and Manufacturing Engineering

Abstract

Anomaly detection is an important method for monitoring network traffic where is important to successfully distinguish normal traffic from abnormal traffic. For this purpose, one could use the existing classification algorithms as a part of the machine learning (ML) process. In this paper, some of the classification algorithms (Stochastic Gradient Descent (SGD), Support Vector Machines (SVM), K-Nearest Neighbor (K-NN), Gaussian Naive Bayes (GNB), Decision Tree (DT), Random Forest (RF), AdaBoost (AB)) were tested on the public UNSW-NB15 dataset. Different encoding methods and ratios of training and test data resulted in the optimal parameters classifiers. Due to the imbalanced distribution of normal and abnormal network traffic data, both standard performance scores and additional classification performance scores (F2-score, Area Under ROC Curve (AUC)) were used, that better describe the obtained results. The RF Classifier with F2-score = 97.68% and AUC score = 98.47% obtained the best results using a representative subset within the original dataset due to the shorter duration of the computations. Features in the referential dataset were reduced by 82% and selected following the structure of the NetFlow data stream. Concerning similar studies, this paper compares several algorithms for anomaly detection and selects the best one for NetFlow data streams. The F2 and AUC metric is applied, which achieves very high accuracy compared to classic metrics that do not show realistic accuracy in imbalanced datasets. Less time was spent using Label enoding (LE) with the same accuracy compared to One-hot (OH) encoding used in similar research. The novelty introduced by this paper is in the optimization of the ML process and influence of the ratio of data for learning and testing, different encoding methods of categorical features, and feature reduction on the Netflow data streams

Published

2023

35. A study on the use of 3rd party DNS resolvers for malware filtering or censorship circumvention

Author

Andersen, Martin Fejrskov, Vasilomanolakis, Emmanouil, Pedersen, Jens Myrup, Meng, Weizhi, Fischer-Hübner, Simone, and Jensen, Christian D.

Subjects

DNS, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, NetFlow, ISP, censorship, filtering, Resolver

Abstract

DNS resolvers perform the essential role of translating domain names into IP addresses. The default DNS resolver offered by an Internet Service Provider (ISP) can be undesirable for a number of reasons such as censorship, lack of malware filtering options and low service quality. In this paper, we propose a novel method for estimating the amount of DNS traffic directed at non-ISP resolvers by using DNS and NetFlow data from an ISP. This method is extended to also estimate the amount of DNS traffic towards resolvers that offer malware filtering or parental control functionality. Finally, we propose a novel method for estimating the amount of DNS traffic at non-ISP resolvers that would have been censored by ISP resolvers. The results of applying these methods on an ISP dataset shows to which extent 3rd party resolvers are chosen by users for either malware filtering or censorship circumvention purposes. DNS resolvers perform the essential role of translating domain names into IP addresses. The default DNS resolver offered by an Internet Service Provider (ISP) can be undesirable for a number of reasons such as censorship, lack of malware filtering options and low service quality. In this paper, we propose a novel method for estimating the amount of DNS traffic directed at non-ISP resolvers by using DNS and NetFlow data from an ISP. This method is extended to also estimate the amount of DNS traffic towards resolvers that offer malware filtering or parental control functionality. Finally, we propose a novel method for estimating the amount of DNS traffic at non-ISP resolvers that would have been censored by ISP resolvers. The results of applying these methods on an ISP dataset shows to which extent 3rd party resolvers are chosen by users for either malware filtering or censorship circumvention purposes.

Published

2022