Your search keyword '"NetFlow"' showing total 1,000 results

1. Tackling Evolving Botnet Threats: A Gradual Self-Training Neural Network Approach

Author

Ta-Chun Lo, Jyh-Biau Chang, Shao-Hsuan Lo, Bai-Jun Kao, and Ce-Kuen Shieh

Subjects

Botnet detection, NetFlow, network security, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Botnets pose a significant challenge to network security but are difficult to detect because of their dynamic and evolving nature, which limits the effectiveness of conventional supervised neural network detection methods. To address this problem, the present study proposes a novel neural network-based self-training framework for botnet detection, in which pseudo-labels are generated from unlabeled data by a trained classifier, which is iteratively refined over time using a combined dataset containing both training and pseudo-labeled data. Although not all of the generated pseudo-labels are applicable to every botnet, the self-training framework can label unseen botnets with behaviors similar to those of known botnets with high confidence. Several strategies are proposed for enhancing the robustness of the classification performance by minimizing the number of incorrect pseudo-labels, mitigating the effects of erroneous pseudo-labels on the overall performance of the network, and optimizing the proportion of unlabeled data for labeling. Experiments conducted on both synthetic datasets confirm the superiority of the proposed method over the base model, particularly when the training data constitutes only a small portion of the total amount dataset. Subsequent experiments also demonstrate the efficacy of the framework in successfully detecting unseen botnet variants and its commendable performance in real-world campus network traffic.

Published

2024

2. An approach to application-layer DoS detection

Author

Cliff Kemp, Chad Calvert, Taghi M. Khoshgoftaar, and Joffrey L. Leevy

Subjects

Application-layer DoS attack, Machine learning, HTTP GET, HTTP POST, Slow read DoS, Netflow, Computer engineering. Computer hardware, TK7885-7895, Information technology, T58.5-58.64, Electronic computers. Computer science, QA75.5-76.95

Abstract

Abstract With the massive resources and strategies accessible to attackers, countering Denial of Service (DoS) attacks is getting increasingly difficult. One of these techniques is application-layer DoS. Due to these challenges, network security has become increasingly more challenging to ensure. Hypertext Transfer Protocol (HTTP), Domain Name Service (DNS), Simple Mail Transfer Protocol (SMTP), and other application protocols have had increased attacks over the past several years. It is common for application-layer attacks to concentrate on these protocols because attackers can exploit some weaknesses. Flood and “low and slow” attacks are examples of application-layer attacks. They target weaknesses in HTTP, the most extensively used application-layer protocol on the Internet. Our experiment proposes a generalized detection approach to identify features for application-layer DoS attacks that is not specific to a single slow DoS attack. We combine four application-layer DoS attack datasets: Slow Read, HTTP POST, Slowloris, and Apache Range Header. We perform a feature-scaling technique that applies a normalization filter to the combined dataset. We perform a feature extraction technique, Principal Component Analysis (PCA), on the combined dataset to reduce dimensionality. We examine ways to enhance machine learning techniques for detecting slow application-layer DoS attacks that employ these methodologies. The machine learners effectively identify multiple slow DoS attacks, according to our findings. The experiment shows that classifiers are good predictors when combined with our selected Netflow characteristics and feature selection techniques.

Published

2023

3. A Quantitative Logarithmic Transformation-Based Intrusion Detection System

Author

Blue Lan, Ta-Chun Lo, Rico Wei, Heng-Yu Tang, and Ce-Kuen Shieh

Subjects

NIDS, NetFlow, network security, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Intrusion detection systems (IDS) play a vital role in protecting networks from malicious attacks. Modern IDS use machine-learning or deep-learning models to deal with the diversity of attacks that malicious users may employ. However, effective machine-learning methods incur a considerable cost in both the pretraining stage and the online detection process itself. Accordingly, this study proposes a quantitative logarithmic transformation-based intrusion detection system (QLT-IDS) that uses a straightforward statistical approach to analyze network behavior. Compared with machine-learning or deep-learning-based IDS methods, the proposed system requires neither a time-consuming and expensive data collection and training process, nor a GPU-included device to achieve a real-time detection performance. Furthermore, the system can deal not only with North-South attacks, but also East-West attacks, which pose a significant risk in real-world operations. The effectiveness of the proposed system is evaluated for both real-world campus network traffic and simulated traffic. The results confirm that QLT-IDS is able to detect a wide range of malicious attacks with a high precision, even under high down-sampling rate of the NetFlow records.

Published

2023

4. Analysis of TCP flood attack using NetFlow

Author

Vsevolod Kapustin and Nerijus Paulauskas

Subjects

NetFlow, tcpdump, TCP, packet, firewall, traffic, Technology, Science

Abstract

Traffic analysis is a common question for most of the production systems in various segments of computer networks. Attacks, configuration mistakes, and other factors can cause network increased accessibility and as a result danger for data privacy. Analyzing network flow and their single packets can be helpful for anomalies detection. Well-known network equipment has predeveloped network flow monitoring software. “NetFlow” data collector software “Nfsen” is an open-source way to collect information from agents. Also “Nfsen” is designed for data sorting and dataset for instruction detection system preparation. Prepared data can be split into fragments for artificial intelligent learning and testing. As AI unit can be used multilayer perceptron developed in a python programming language. This paper focused on real-world traffic dataset collection and multilayer perceptron deployment for TCP flood traffic detection. Article in English. Perteklinių TCP sesijų sudarymo atakų analizavimas naudojant „NetFlow“ Santrauka Srauto analizė – vienas pagrindinių įrankių anomalijoms kompiuteriniame tinkle aptikti. Atakos, konfigūracijos klaidos gali padėti lengviau pasiekti kompiuterinį tinklą ir galiausiai padidinti duomenų saugumo pavojų. Duomenų perdavimo tinklo srauto ir pavienių paketų analizė gali būti naudojama anomalijoms aptikti. Daugelis įrangos gamintojų įdiegia į savo įrangą srauto stebėjimo įrankius. „NetFlow“ protokolu perduodamu srautų duomenų kolektorius „Nfsen“ yra atvirojo kodo programinė įranga, padedanti surinkti informaciją iš agentų. Taip pat „Nfsen“ yra suprojektuota duomenų rinkinio įsibrovimo aptikimo sistemoms paruošti. Paruoštas duomenų rinkinys gali būti padalytas siekiant apmokyti ir testuoti dirbtinio intelekto modelį. Intelektinės sistemos srautui klasifikuoti gali būti naudojamas daugiasluoksnis perceptronas. Šiame darbe siekiama išanalizuoti, kaip interneto tiekėjo tinkle aptikti TCP perteklinį srautą ir jį klasifikuoti. Reikšminiai žodžiai: „NetFlow“, tcpdump, TCP, paketas, ugniasienė, srautas, GRE, ataka.

Published

2023

5. An approach to application-layer DoS detection.

Author

Kemp, Cliff, Calvert, Chad, Khoshgoftaar, Taghi M., and Leevy, Joffrey L.

Subjects

HTTP (Computer network protocol), DENIAL of service attacks, INTERNET domain naming system, FEATURE selection, PRINCIPAL components analysis, COMPUTER network security, INTERNET protocols

Abstract

With the massive resources and strategies accessible to attackers, countering Denial of Service (DoS) attacks is getting increasingly difficult. One of these techniques is application-layer DoS. Due to these challenges, network security has become increasingly more challenging to ensure. Hypertext Transfer Protocol (HTTP), Domain Name Service (DNS), Simple Mail Transfer Protocol (SMTP), and other application protocols have had increased attacks over the past several years. It is common for application-layer attacks to concentrate on these protocols because attackers can exploit some weaknesses. Flood and "low and slow" attacks are examples of application-layer attacks. They target weaknesses in HTTP, the most extensively used application-layer protocol on the Internet. Our experiment proposes a generalized detection approach to identify features for application-layer DoS attacks that is not specific to a single slow DoS attack. We combine four application-layer DoS attack datasets: Slow Read, HTTP POST, Slowloris, and Apache Range Header. We perform a feature-scaling technique that applies a normalization filter to the combined dataset. We perform a feature extraction technique, Principal Component Analysis (PCA), on the combined dataset to reduce dimensionality. We examine ways to enhance machine learning techniques for detecting slow application-layer DoS attacks that employ these methodologies. The machine learners effectively identify multiple slow DoS attacks, according to our findings. The experiment shows that classifiers are good predictors when combined with our selected Netflow characteristics and feature selection techniques. [ABSTRACT FROM AUTHOR]

Published

2023

6. ANALYSIS OF TCP FLOOD ATTACK USING NETFLOW.

Author

KAPUSTIN, Vsevolod and PAULAUSKAS, Nerijus

Subjects

*DENIAL of service attacks, *DATA privacy, *TRAFFIC monitoring, *COMPUTER networks, *COMPUTER networking equipment, *PYTHON programming language

Abstract

Traffic analysis is a common question for most of the production systems in various segments of computer networks. Attacks, configuration mistakes, and other factors can cause network increased accessibility and as a result danger for data privacy. Analyzing network flow and their single packets can be helpful for anomalies detection. Well-known network equipment has predeveloped network flow monitoring software. "NetFlow" data collector software "Nfsen" is an open-source way to collect information from agents. Also "Nfsen" is designed for data sorting and dataset for instruction detection system preparation. Prepared data can be split into fragments for artificial intelligent learning and testing. As AI unit can be used multilayer perceptron developed in a python programming language. This paper focused on real-world traffic dataset collection and multilayer perceptron deployment for TCP flood traffic detection. [ABSTRACT FROM AUTHOR]

Published

2023

7. Tensor-Based Online Network Anomaly Detection and Diagnosis

Author

Mehdi Shajari, Hongxiang Geng, Kaixuan Hu, and Alberto Leon-Garcia

Subjects

Anomaly detection, anomaly diagnosis, convolutional neural network, autoencoder, NetFlow, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

This paper presents an online anomaly detection system capable of handling operational network traffic of large networks (such as an ISP). We also aim for an effective and practical diagnosis of anomalies diagnosis to produce actionable intelligence that enables automated response. To achieve these objectives, we use the following approaches. (1) We model the status of the network by a stream of tensors where each tensor cell contains a time series. (2) We detect anomalous tensors at discrete time steps using an unsupervised tensor representation learning model. (3) We produce actionable intelligence by diagnosing anomaly detection results and identifying the abnormal time series that are the most likely causes of each anomaly in the tensor. (4) We further analyze the traffic corresponding to each anomalous time series by an innovative method that extracts and isolates the attack traffic. (5) We provide solutions for streaming data anomaly detection challenges such as large volume, high velocity, seasonality, and concept drift. We apply our approach to the complete test set of UGR data to show its practicality and effectiveness. Not only can we detect and isolate most of the labelled attack traffic, but we also identify many organic attack activities in the UGR data. Our results on the complete UGR dataset show high detection and isolation rates for the labelled attacks in the dataset. We also report on additional organic attacks we detected that were originally labelled as background in the dataset. Our analysis shows that the isolated background traffic represents interesting and potentially malicious behavior and can provide invaluable insight for cyber-threat researchers.

Published

2022

8. Detection of illicit cryptomining using network metadata

Author

Michele Russo, Nedim Šrndić, and Pavel Laskov

Subjects

Detection, Malware, Cryptomining, Monero, NetFlow, Machine learning, Computer engineering. Computer hardware, TK7885-7895, Electronic computers. Computer science, QA75.5-76.95

Abstract

Abstract Illicit cryptocurrency mining has become one of the prevalent methods for monetization of computer security incidents. In this attack, victims’ computing resources are abused to mine cryptocurrency for the benefit of attackers. The most popular illicitly mined digital coin is Monero as it provides strong anonymity and is efficiently mined on CPUs.Illicit mining crucially relies on communication between compromised systems and remote mining pools using the de facto standard protocol Stratum. While prior research primarily focused on endpoint-based detection of in-browser mining, in this paper, we address network-based detection of cryptomining malware in general. We propose XMR-Ray, a machine learning detector using novel features based on reconstructing the Stratum protocol from raw NetFlow records. Our detector is trained offline using only mining traffic and does not require privacy-sensitive normal network traffic, which facilitates its adoption and integration.In our experiments, XMR-Ray attained 98.94% detection rate at 0.05% false alarm rate, outperforming the closest competitor. Our evaluation furthermore demonstrates that it reliably detects previously unseen mining pools, is robust against common obfuscation techniques such as encryption and proxies, and is applicable to mining in the browser or by compiled binaries. Finally, by deploying our detector in a large university network, we show its effectiveness in protecting real-world systems.

Published

2021

9. A Machine Learning-based Real-time Monitoring System for Classification of Elephant Flows on KOREN.

Author

Akbar, Waleed, Rivera, Javier J. D., Ahmed, Khan T., Muhammad, Afaq, and Wang-Cheol Song

Subjects

SOFTWARE-defined networking, ELEPHANTS, RANDOM forest algorithms, MACHINE learning, CLASSIFICATION

Abstract

With the advent and realization of Software Defined Network (SDN) architecture, many organizations are now shifting towards this paradigm. SDN brings more control, higher scalability, and serene elasticity. The SDN spontaneously changes the network configuration according to the dynamic network requirements inside the constrained environments. Therefore, a monitoring system that can monitor the physical and virtual entities is needed to operate this type of network technology with high efficiency and proficiency. In this manuscript, we propose a real-time monitoring system for data collection and visualization that includes the Prometheus, node exporter, and Grafana. A node exporter is configured on the physical devices to collect the physical and virtual entities resources utilization logs. A real-time Prometheus database is configured to collect and store the data from all the exporters. Furthermore, the Grafana is affixed with Prometheus to visualize the current network status and device provisioning. A monitoring system is deployed on the physical infrastructure of the KOREN topology. Data collected by the monitoring system is further pre-processed and restructured into a dataset. A monitoring system is further enhanced by including machine learning techniques applied on the formatted datasets to identify the elephant flows. Additionally, a Random Forest is trained on our generated labeled datasets, and the classification models' performance are verified using accuracy metrics. [ABSTRACT FROM AUTHOR]

Published

2022

10. Detection of illicit cryptomining using network metadata.

Author

Russo, Michele, Šrndić, Nedim, and Laskov, Pavel

Subjects

METADATA, DIGITAL currency, COMPUTER security, CRYPTOCURRENCY mining, SENSOR networks, CRYPTOCURRENCIES, MACHINE learning, CRYPTOSYSTEMS

Abstract

Illicit cryptocurrency mining has become one of the prevalent methods for monetization of computer security incidents. In this attack, victims' computing resources are abused to mine cryptocurrency for the benefit of attackers. The most popular illicitly mined digital coin is Monero as it provides strong anonymity and is efficiently mined on CPUs.Illicit mining crucially relies on communication between compromised systems and remote mining pools using the de facto standard protocol Stratum. While prior research primarily focused on endpoint-based detection of in-browser mining, in this paper, we address network-based detection of cryptomining malware in general. We propose XMR-Ray, a machine learning detector using novel features based on reconstructing the Stratum protocol from raw NetFlow records. Our detector is trained offline using only mining traffic and does not require privacy-sensitive normal network traffic, which facilitates its adoption and integration.In our experiments, XMR-Ray attained 98.94% detection rate at 0.05% false alarm rate, outperforming the closest competitor. Our evaluation furthermore demonstrates that it reliably detects previously unseen mining pools, is robust against common obfuscation techniques such as encryption and proxies, and is applicable to mining in the browser or by compiled binaries. Finally, by deploying our detector in a large university network, we show its effectiveness in protecting real-world systems. [ABSTRACT FROM AUTHOR]

Published

2021

11. An Adaptive Profile-Based Approach for Detecting Anomalous Traffic in Backbone

Author

Xiao-Dong Zang, Jian Gong, and Xiao-Yan Hu

Subjects

Traffic characterization, anomaly detection, netflow, characteristic spectrum, digital signatures, Electrical engineering. Electronics. Nuclear engineering, TK1-9971

Abstract

Anomaly detection is the first step with a challenging task of securing a communication network, as the anomalies may indicate suspicious behaviors, attacks, network malfunctions, or failures. In this paper, we address the problem of not only detecting different anomalies, such as volume based (e.g., DDoS or Flash crowd) and spatial based (e.g., network scan), that arise simultaneously in the wild but also of attributing the anomalous point to a single-anomaly event causing it. Besides, we also tackle the problem of low-detection accuracy caused by the phenomenon of traffic drift. To this end, a novel adaptive profile-based anomaly detection scheme is proposed. More specifically, a more comprehensive metrics set is defined from the dimensions of temporal, spatial, category, and intensity to compose IP traffic behavior characteristic spectrum for fine-grained traffic characterization. Then, the digital signature matrix obtained by using the ant colony optimization (ACO) algorithm is applied to construct the baseline profile of the normal traffic behavior. Anomalous points are identified and analyzed by using confidence bands and a generic clustering technique, respectively. Finally, a lightweight updating strategy is applied to reduce the number of false positives. Real-world data of China Education Research Network backbone and synthetic data are collected to verify our proposal. The experimental results demonstrate that our approach provides a fine-grained behavior description ability and has significantly increased the detection accuracy compared with other similar alternatives.

Published

2019

12. MACHINE LEARNING STATISTICAL DETECTION OF ANOMALIES USING NETFLOW RECORDS

Author

Bollmann, Chad A., Dinolt, George W., Electrical and Computer Engineering (ECE), Putman, Zachary W., Bollmann, Chad A., Dinolt, George W., Electrical and Computer Engineering (ECE), and Putman, Zachary W.

Abstract

NetFlow is a network protocol system that is used to represent an overall summary of computer network conversations. A NetFlow record can convert previously captured packet captures or obtain NetFlow session data in real time. This research examines the use of machine-learning techniques to identify anomalies in NetFlow records and classify malware behavior for further investigation. The intent is to identify low-cost solutions leveraging open-source software capable of deployment on computer hardware of currently in-use data networks. This work seeks to determine whether expert selection of features can improve machine-learning detection algorithm performance and evaluate the trade-offs associated with eliminating redundant or excessive numbers of features. We identify the Random Forest algorithm as the strongest single algorithm across three of four metrics, with our chosen NetFlow features cutting the testing and training times in half while incurring minor reductions in two metrics. The experiment demonstrates that the chosen NetFlow features are sufficiently discriminative to detect attacks with a success rate higher than 94%., NCWDG, Lieutenant, United States Navy, Approved for public release. Distribution is unlimited.

Published

2023

13. How to Effectively Collect and Process Network Data for Intrusion Detection?

Author

Mikołaj Komisarek, Marek Pawlicki, Rafał Kozik, Witold Hołubowicz, and Michał Choraś

Subjects

NetFlow, network intrusion detection, network behavior analysis, data quality, feature selection, Science, Astrophysics, QB460-466, Physics, QC1-999

Abstract

The number of security breaches in the cyberspace is on the rise. This threat is met with intensive work in the intrusion detection research community. To keep the defensive mechanisms up to date and relevant, realistic network traffic datasets are needed. The use of flow-based data for machine-learning-based network intrusion detection is a promising direction for intrusion detection systems. However, many contemporary benchmark datasets do not contain features that are usable in the wild. The main contribution of this work is to cover the research gap related to identifying and investigating valuable features in the NetFlow schema that allow for effective, machine-learning-based network intrusion detection in the real world. To achieve this goal, several feature selection techniques have been applied on five flow-based network intrusion detection datasets, establishing an informative flow-based feature set. The authors’ experience with the deployment of this kind of system shows that to close the research-to-market gap, and to perform actual real-world application of machine-learning-based intrusion detection, a set of labeled data from the end-user has to be collected. This research aims at establishing the appropriate, minimal amount of data that is sufficient to effectively train machine learning algorithms in intrusion detection. The results show that a set of 10 features and a small amount of data is enough for the final model to perform very well.

Published

2021

14. UGRansome1819: A Novel Dataset for Anomaly Detection and Zero-Day Threats

Author

Mike Nkongolo, Jacobus Philippus van Deventer, and Sydney Mambwe Kasongo

Subjects

netflow, anomaly detection, ensemble learning, zero-day threats, feature extraction, feature engineering, Information technology, T58.5-58.64

Abstract

This research attempts to introduce the production methodology of an anomaly detection dataset using ten desirable requirements. Subsequently, the article presents the produced dataset named UGRansome, created with up-to-date and modern network traffic (netflow), which represents cyclostationary patterns of normal and abnormal classes of threatening behaviours. It was discovered that the timestamp of various network attacks is inferior to one minute and this feature pattern was used to record the time taken by the threat to infiltrate a network node. The main asset of the proposed dataset is its implication in the detection of zero-day attacks and anomalies that have not been explored before and cannot be recognised by known threats signatures. For instance, the UDP Scan attack has been found to utilise the lowest netflow in the corpus, while the Razy utilises the highest one. In turn, the EDA2 and Globe malware are the most abnormal zero-day threats in the proposed dataset. These feature patterns are included in the corpus, but derived from two well-known datasets, namely, UGR’16 and ransomware that include real-life instances. The former incorporates cyclostationary patterns while the latter includes ransomware features. The UGRansome dataset was tested with cross-validation and compared to the KDD99 and NSL-KDD datasets to assess the performance of Ensemble Learning algorithms. False alarms have been minimized with a null empirical error during the experiment, which demonstrates that implementing the Random Forest algorithm applied to UGRansome can facilitate accurate results to enhance zero-day threats detection. Additionally, most zero-day threats such as Razy, Globe, EDA2, and TowerWeb are recognised as advanced persistent threats that are cyclostationary in nature and it is predicted that they will be using spamming and phishing for intrusion. Lastly, achieving the UGRansome balance was found to be NP-Hard due to real life-threatening classes that do not have a uniform distribution in terms of several instances.

Published

2021

15. Network anomaly detection using artificial neural networks

Author

Sergey Andropov, Alexei Guirik, Mikhail Budko, and Marina Budko

Subjects

anomaly detection, Netflow, neural networks, Telecommunication, TK5101-6720

Abstract

This paper presents a method of identifying and classifying network anomalies using an artificial neural network for analyzing data gathered via Netflow protocol. Potential anomalies and their properties are described. We propose using a multilayer perceptron, trained with the backpropagation algorithm. We experiment both with datasets acquired from a real ISP monitoring system and with datasets modified to simulate the presence of anomalies; some Netflow records are modified to contain known patterns of several network attacks. We evaluate the viability of the approach by practical experimentation with various anomalies and iteration sizes.

Published

2017

16. Efficient and Accurate Flow Record Collection With HashFlow

Author

Han Zhang, Qing Li, Zongyi Zhao, Xia Yin, Zhiliang Wang, and Xingang Shi

Subjects

Traffic analysis, Computational Theory and Mathematics, Flow (mathematics), Hardware and Architecture, Computer science, Signal Processing, Real-time computing, Hash function, NetFlow, Table (database), Throughput, Data structure, Flow measurement

Abstract

Traditional tools like NetFlow face great challenges as both the speed and the complexity of the network traffic increase. To keep the pace up, we propose HashFlow for more efficient and accurate collection of flow records. HashFlow keeps large flows in its main flow table and uses an ancillary table to summarize the other flows when the main table is full. With our flow collision resolution and flow record promotion schemes, a flow in the ancillary table is promoted back to the main flow table with a guaranteed probability when it becomes large enough. These operations can be performed highly efficiently, so HashFlow can keep up with ultra-high traffic speed. We implement HashFlow in a Tofino switch, and using traces from different operational networks, we compare its performance against some state-of-the-art flow measurement algorithms. Our experiments show that, for various types of traffic analysis applications, HashFlow consistently demonstrates clearly better performance than its competitors. For example, the performance of HashFlow in flow size estimation, flow size distribution estimation and heavy hitter detection is up to 21, 60 and 35 percent better than those of the best competitors respectively, and these merits of HashFlow come with almost no degradation of throughput.

Published

2022

17. Utilising Flow Aggregation to Classify Benign Imitating Attacks

Author

Hanan Hindy, Robert Atkinson, Christos Tachtatzis, Ethan Bayne, Miroslav Bures, and Xavier Bellekens

Subjects

NetFlow, network traffic, intrusion detection, machine learning, features, CICIDS2017, Chemical technology, TP1-1185

Abstract

Cyber-attacks continue to grow, both in terms of volume and sophistication. This is aided by an increase in available computational power, expanding attack surfaces, and advancements in the human understanding of how to make attacks undetectable. Unsurprisingly, machine learning is utilised to defend against these attacks. In many applications, the choice of features is more important than the choice of model. A range of studies have, with varying degrees of success, attempted to discriminate between benign traffic and well-known cyber-attacks. The features used in these studies are broadly similar and have demonstrated their effectiveness in situations where cyber-attacks do not imitate benign behaviour. To overcome this barrier, in this manuscript, we introduce new features based on a higher level of abstraction of network traffic. Specifically, we perform flow aggregation by grouping flows with similarities. This additional level of feature abstraction benefits from cumulative information, thus qualifying the models to classify cyber-attacks that mimic benign traffic. The performance of the new features is evaluated using the benchmark CICIDS2017 dataset, and the results demonstrate their validity and effectiveness. This novel proposal will improve the detection accuracy of cyber-attacks and also build towards a new direction of feature extraction for complex ones.

Published

2021

18. COLETA, TRATAMENTO E ARMAZENAMENTO DE FLUXOS NO PADRÃO NETFLOW

Author

Vitor Ruiz and Helton Sapia

Subjects

Netflow, Colector, Flows, Engineering (General). Civil engineering (General), TA1-2040, Science (General), Q1-390

Abstract

This work presents a tool that collect, store and allows a posterior analysis of the flows, in the NetFlow standard. Due to increasing number of connected devices and access to the Internet, the traffic density over networks have also increased greatly. To ensure safety, it must be possible to identify adverse events to the network environment. Traditional analytical methods used to capture packets, which is computationally infeasible in some cases (when the amount of traffic is very large, for example), the collection using flows is most suitable in these cases. This work aims at the development of an application that collects, treats and stores flows, in the Netflow standard. The flows are collected using a UDP socket, with a Gateway (OpenBSD) assistance and stored in a MySQL database.

Published

2016

19. SQL injection attack detection in network flow data

Author

Ignacio Samuel Crespo-Martínez, Adrián Campazas-Vega, Ángel Manuel Guerrero-Higueras, Virginia Riego-DelCastillo, Claudia Álvarez-Aparicio, Camino Fernández-Llamas, Ingenieria de Sistemas y Automatica, and Escuela de Ingenierias Industrial e Informatica

Subjects

Informática, Ensamble learning, General Computer Science, Machine learning, Netflow, Ingenierías, SQLIA detection, Network security, Law

Abstract

[EN] SQL injections rank in the OWASP Top 3. The literature shows that analyzing network datagrams allows for detecting or preventing such attacks. Unfortunately, such detection usually implies studying all packets flowing in a computer network. Therefore, routers in charge of routing significant traffic loads usually cannot apply the solutions proposed in the literature. This work demonstrates that detecting SQL injection attacks on flow data from lightweight protocols is possible. For this purpose, we gathered two datasets collecting flow data from several SQL injection attacks on the most popular database engines. After evaluating several machine learning-based algorithms, we get a detection rate of over 97% with a false alarm rate of less than 0.07% with a Logistic Regression-based model. SI Instituto Nacional de Ciberseguridad de España (INCIBE) Universidad de León

Published

2023

20. Quality In / Quality Out: Data quality more relevant than model choice in anomaly detection with the UGR’16

Author

Camacho Páez, José, Wasielewska, Katarzyna, Espinosa, Pablo, and Fuentes García, Raquel María

Subjects

Netflow, data quality, UGR’16, anomaly detection

Abstract

Autonomous or self-driving networks are expected to provide a solution to the myriad of extremely demanding new applications in the Future Internet. The key to handle complexity is to perform tasks like network optimization and failure recovery with minimal human supervision. For this purpose, the community relies on the development of new Machine Learning (ML) models and techniques. However, ML can only be as good as the data it is fitted with. Datasets provided to the community as benchmarks for research purposes, which have a relevant impact in research findings and directions, are often assumed to be of good quality by default. In this paper, we show that relatively minor modifications on the same benchmark dataset (UGR’16, a flow-based real-traffic dataset for anomaly detection) cause significantly more impact on model performance than the specific ML technique considered. To understand this finding, we contribute a methodology to investigate the root causes for those differences, and to assess the quality of the data labelling. Our findings illustrate the need to devote more attention into (automatic) data quality assessment and optimization techniques in the context of autonomous networks., This work was supported by the Agencia Estatal de Investigaci´on in Spain, grant No PID2020-113462RB-I00, and the European Union’s Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 893146.

Published

2023

21. Flow-Data Gathering Using NetFlow Sensors for Fitting Malicious-Traffic Detection Models

Author

Adrián Campazas-Vega, Ignacio Samuel Crespo-Martínez, Ángel Manuel Guerrero-Higueras, and Camino Fernández-Llamas

Subjects

NetFlow, packet flow, advanced persistent threat, malicious traffic, dataset, Chemical technology, TP1-1185

Abstract

Advanced persistent threats (APTs) are a growing concern in cybersecurity. Many companies and governments have reported incidents related to these threats. Throughout the life cycle of an APT, one of the most commonly used techniques for gaining access is network attacks. Tools based on machine learning are effective in detecting these attacks. However, researchers usually have problems with finding suitable datasets for fitting their models. The problem is even harder when flow data are required. In this paper, we describe a framework to gather flow datasets using a NetFlow sensor. We also present the Docker-based framework for gathering netflow data (DOROTHEA), a Docker-based solution implementing the above framework. This tool aims to easily generate taggable network traffic to build suitable datasets for fitting classification models. In order to demonstrate that datasets gathered with DOROTHEA can be used for fitting classification models for malicious-traffic detection, several models were built using the model evaluator (MoEv), a general-purpose tool for training machine-learning algorithms. After carrying out the experiments, four models obtained detection rates higher than 93%, thus demonstrating the validity of the datasets gathered with the tool.

Published

2020

22. Detection of illicit cryptomining using network metadata

Author

Pavel Laskov, Michele Russo, and Nedim Srndic

Subjects

Computer engineering. Computer hardware, Information retrieval, business.industry, Computer science, QA75.5-76.95, Malware, Computer Science Applications, Metadata, TK7885-7895, Detection, Text mining, Monero, Electronic computers. Computer science, Signal Processing, Machine learning, NetFlow, business, Cryptomining

Abstract

Illicit cryptocurrency mining has become one of the prevalent methods for monetization of computer security incidents. In this attack, victims’ computing resources are abused to mine cryptocurrency for the benefit of attackers. The most popular illicitly mined digital coin is Monero as it provides strong anonymity and is efficiently mined on CPUs.Illicit mining crucially relies on communication between compromised systems and remote mining pools using the de facto standard protocol Stratum. While prior research primarily focused on endpoint-based detection of in-browser mining, in this paper, we address network-based detection of cryptomining malware in general. We propose XMR-Ray, a machine learning detector using novel features based on reconstructing the Stratum protocol from raw NetFlow records. Our detector is trained offline using only mining traffic and does not require privacy-sensitive normal network traffic, which facilitates its adoption and integration.In our experiments, XMR-Ray attained 98.94% detection rate at 0.05% false alarm rate, outperforming the closest competitor. Our evaluation furthermore demonstrates that it reliably detects previously unseen mining pools, is robust against common obfuscation techniques such as encryption and proxies, and is applicable to mining in the browser or by compiled binaries. Finally, by deploying our detector in a large university network, we show its effectiveness in protecting real-world systems.

Published

2021

23. Anonymization of Network Traces Data through Condensation-based Differential Privacy

Author

YangFan, ChenZhiyuan, AleroudAhmed, PallaproluSai Chaithanya, and KarabatisGeorge

Subjects

Condensation (psychology), Computer Networks and Communications, Computer science, Intrusion detection system, Information security, computer.software_genre, Computer Science Applications, Hardware and Architecture, NetFlow, Differential privacy, Data mining, Hierarchical network model, Safety Research, computer, Software, Information Systems

Abstract

Network traces are considered a primary source of information to researchers, who use them to investigate research problems such as identifying user behavior, analyzing network hierarchy, maintaining network security, classifying packet flows, and much more. However, most organizations are reluctant to share their data with a third party or the public due to privacy concerns. Therefore, data anonymization prior to sharing becomes a convenient solution to both organizations and researchers. Although several anonymization algorithms are available, few of them allow sufficient privacy (organization need), acceptable data utility (researcher need), and efficient data analysis at the same time. This article introduces a condensation-based differential privacy anonymization approach that achieves an improved tradeoff between privacy and utility compared to existing techniques and produces anonymized network trace data that can be shared publicly without lowering its utility value. Our solution also does not incur extra computation overhead for the data analyzer. A prototype system has been implemented, and experiments have shown that the proposed approach preserves privacy and allows data analysis without revealing the original data even when injection attacks are launched against it. When anonymized datasets are given as input to graph-based intrusion detection techniques, they yield almost identical intrusion detection rates as the original datasets with only a negligible impact.

Published

2021

24. SEGURANÇA EM REDES DE COMPUTADORES USANDO SISTEMAS DE DETECÇÃO DE INTRUSÃO BASEADOS EM FLUXOS

Author

Eduardo Massato Kakihata, Helton Molina Sapia, Ronaldo Toshiaki Oikawa, Danillo Roberto Pereira, and Francisco Assis da Silva

Subjects

Intrusion Detection System, Information Security, Security In Networks, Netflow, Engineering (General). Civil engineering (General), TA1-2040, Science (General), Q1-390

Abstract

The use of internet by different types of devices causes a large flow of confidential and/or personal informations. This informations in the possession of criminals can cause extensive damage to persons, institution and government. Due to this situation, it is necessary to use computer security tools, such as Intrusion Detection Systems (IDS). This work presents an IDS that can perform the flow-based analysis (netflow). The proposed approach realizes an analysis of malicious behaviors in flows that were previously collected, and detected correctly three different types of malicious behavior. The flow-based analysis was efficient to detecting malicious acts, moreover the data number to be scanned of the proposed approach is considerably smaller than the packet-based analysis.

Published

2015

25. MACHINE LEARNING STATISTICAL DETECTION OF ANOMALIES USING NETFLOW RECORDS

Author

Putman, Zachary W., Bollmann, Chad A., Dinolt, George W., and Electrical and Computer Engineering (ECE)

Subjects

machine learning, denial of service, NetFlow, statistical detection, CRISP-DM

Abstract

NetFlow is a network protocol system that is used to represent an overall summary of computer network conversations. A NetFlow record can convert previously captured packet captures or obtain NetFlow session data in real time. This research examines the use of machine-learning techniques to identify anomalies in NetFlow records and classify malware behavior for further investigation. The intent is to identify low-cost solutions leveraging open-source software capable of deployment on computer hardware of currently in-use data networks. This work seeks to determine whether expert selection of features can improve machine-learning detection algorithm performance and evaluate the trade-offs associated with eliminating redundant or excessive numbers of features. We identify the Random Forest algorithm as the strongest single algorithm across three of four metrics, with our chosen NetFlow features cutting the testing and training times in half while incurring minor reductions in two metrics. The experiment demonstrates that the chosen NetFlow features are sufficiently discriminative to detect attacks with a success rate higher than 94%. NCWDG Lieutenant, United States Navy Approved for public release. Distribution is unlimited.

Published

2022

26. Detecting DNS hijacking by using NetFlow data

Author

Jens Myrup Pedersen, Emmanouil Vasilomanolakis, and Martin Fejrskov

Subjects

hijacking, DNS, malware, NetFlow, IPFix

Abstract

DNS hijacking represents a security threat to users because it enables bypassing existing DNS security measures. Several malware families exploit this by changing the client DNS configuration to point to a malicious DNS resolver. Following the assumption that users will never actively choose to use a resolver that is not well-known, our paper introduces the idea of detecting client-based DNS hijacking by classifying public resolvers based on whether they are well-known or not. Furthermore, we propose to use NetFlow-based features to classify a resolver as well-known or malicious. By characterizing and manually labelling the 405 resolvers seen in four weeks of NetFlow data from a national ISP, we show that classification of both well-known and malicious servers can be made with an AUROC of 0.85.

Published

2022

27. Queryable Semantics to Detect Cyber-Attacks: A Flow-Based Detection Approach.

Author

AlEroud, Ahmed F. and Karabatis, George

Subjects

*CYBERTERRORISM, *COUNTERTERRORISM, *INTRUSION detection systems (Computer security), *DIGITAL asset management

Abstract

Cyber-attacks continue to increase worldwide, leading to significant loss or misuse of information assets. Most of the existing intrusion detection systems rely on per-packet inspection, a resource consuming task in today’s high speed networks. A recent trend is to analyze netflows (or simply flows) instead of packets, a technique performed at a relative low level leading to high false alarm rates. Since analyzing raw data extracted from flows lacks the semantic information needed to discover attacks, a novel approach is introduced, which uses contextual information to automatically identify and query possible semantic links between different types of suspicious activities extracted from flows. Time, location, and other contextual information mined from flows is applied to generate semantic links among alerts raised in response to suspicious flows. These semantic links are identified through an inference process on probabilistic semantic link networks (SLNs), which receive an initial prediction from a classifier that analyzes incoming flows. The SLNs are then queried at run-time to retrieve other relevant predictions. We show that our approach can be extended to detect unknown attacks in flows as variations of known attacks. An extensive validation of our approach has been performed with a prototype system on several benchmark datasets yielding very promising results in detecting both known and unknown attacks. [ABSTRACT FROM AUTHOR]

Published

2018

28. Automated detection-in-depth in industrial control systems

Author

Zahra Jadidi, Colin J. Fidge, Mukhtar Hussain, and Ernest Foo

Subjects

Computer science, Network packet, business.industry, Mechanical Engineering, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Denial-of-service attack, Industrial control system, computer.software_genre, Automation, Industrial and Manufacturing Engineering, Computer Science Applications, Flooding (computer networking), Data acquisition, Control and Systems Engineering, NetFlow, Anomaly detection, Data mining, business, computer, Software

Abstract

Legacy industrial control systems (ICSs) are not designed to be exposed to the Internet and linking them to corporate networks has introduced a large number of cyber security vulnerabilities. Due to the distributed nature of ICS devices, a detection-in-depth strategy is required to simultaneously monitor the behaviour of multiple sources of ICS data. While a detection-in-depth method leads to detecting attacks, like flooding attacks in earlier phases before the attacker can reach the end target, most research papers have focused on anomaly detection based on a single source of ICS data. Here, we present a detection-in-depth method for an ICS network. The new method is called automated flooding attack detection (AFAD) which consists of three stages: data acquisition, pre-processing, and a flooding anomaly detector. Data acquisition includes data collection from different sources like programmable logic controller (PLC) logs and network traffic. We then generate NetFlow data to provide light-weight anomaly detection in ICS networks. NetFlow-based analysis has been used as a scalable method for anomaly detection in high-speed networks. It only analyses packet headers, and it is an efficient method for detecting flooding attacks like denial of service attacks, and its performance is not affected by encrypted data. However, it has not been sufficiently studied in industrial control systems. Besides NetFlow data, ICS device logs are a rich source of information that can be used to detect abnormal behaviour. Both NetFlow traffic and log data are processed in our pre-processing stage. The third stage of AFAD is anomaly detection which consists of two parallel machine learning analysis methods, which respectively analyse the behaviours of device logs and NetFlow records. Due to the lack of enough labelled training datasets in most environments, an unsupervised predictor and an unsupervised clustering method are respectively used in the anomaly detection stage. We validated our approach using traffic captured in a factory automation dataset, Modbus dataset, and SWAT dataset. These datasets contain physical and network level normal and abnormal data. The performance of AFAD was compared with single-layer anomaly detection and with other studies. Results showed the high precision of AFAD in detecting flooding attacks.

Published

2021

29. Detecting DNS hijacking by using NetFlow data

Author

Fejrskov, Martin, Pedersen, Jens Myrup, Vasilomanolakis, Emmanouil, Fejrskov, Martin, Pedersen, Jens Myrup, and Vasilomanolakis, Emmanouil

Abstract

DNS hijacking represents a security threat to users because it enables bypassing existing DNS security measures. Several malware families exploit this by changing the client DNS configuration to point to a malicious DNS resolver. Following the assumption that users will never actively choose to use a resolver that is not well-known, our paper introduces the idea of detecting client-based DNS hijacking by classifying public resolvers based on whether they are well-known or not. Furthermore, we propose to use NetFlow-based features to classify a resolver as well-known or malicious. By characterizing and manually labelling the 405 resolvers seen in four weeks of NetFlow data from a national ISP, we show that classification of both well-known and malicious servers can be made with an AUROC of 0.85.

Published

2022

30. Model-Driven Network Monitoring Using NetFlow Applied to Threat Detection

Author

Daniel González-Sánchez, Ignacio D. Martinez-Casanueva, Antonio Pastor, Luis Bellido Triana, Cristina Pinar Muñoz Zamarro, Alejandro Antonio Moreno Sancho, David Fernández Cambronero, and Diego Lopez

Subjects

network monitoring, YANG, data model, cryptomining, threat detection, NetFlow

Abstract

In recent years, several research works have proposed the analysis of network flow information using machine learning in order to detect threats or anomalous activities. In this sense, NetFlow-based systems stand out as one of the main sources of network flow information. In these systems, NetFlow collectors provide the flow monitoring information to be analyzed, but the particular information structure and format provided by different collector implementations is a recurring problem. In this paper, a new YANG data model is proposed as a standard model to use NetFlow-based monitoring data. In order to validate the proposal, a NetFlow collector incorporating the proposed NetFlow YANG model has been developed, to be integrated in a network scenario in which network flows are analyzed to detect malicious cryptomining activity. This collector extends an existing one, and provides design patterns to incorporate other existing collectors into this common data model. Our results show how, by using the YANG modeling language, network flow information can be handled and aggregated in a formal and unified way that provides flexibility and facilitates data analysis applied to threat detection.

Published

2022

31. A Large Scale NetFlow Analysis System Based on Spark

Author

Shengyong Ding, Shiwu Min, and Yongbing Fan

Subjects

NetFlow, Spark, traffic analysis, Telecommunication, TK5101-6720, Technology

Abstract

The existing systems usually adopt private distributed architectures, which face scalability, openness, cost and latency problems. The development of big data technology such as Spark offers new opportunity for large scale NetFlow processing systems. A new analysis system based on Spark platform was proposed and the effectiveness of the method was verified. The experimental results show its superior performance.

Published

2014

32. Detecting impersonation attacks in cloud computing environments using a centric user profiling approach

Author

Hisham A. Kholidy

Subjects

Profiling (computer programming), Artificial neural network, Computer Networks and Communications, business.industry, Computer science, Information technology, 020206 networking & telecommunications, Cloud computing, 02 engineering and technology, Intrusion detection system, Impersonation attack, computer.software_genre, Hardware and Architecture, Software deployment, NetFlow, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Data mining, business, computer, Software

Abstract

Cloud computing has become the most needed technology for the IT industry. Impersonation attacks are among the most dangerous threats that Clouds face. In this paper, we present an approach to detect masquerade attacks in Clouds. The efficient detection of these attacks should correlate user behaviors in distinct environments and also should apply to several deployment models. We present and evaluate three approaches to detect Impersonation and masquerade attacks. The first approach analyzes sequences of correlated system calls from the VMs operating systems, while the second analyzes the NetFlow data from the network environment. The third approach integrates these two approaches by using a neural network that will produce better detections than any of the first two approaches. To simplify the testing and the evaluation of the three methods, the Cloud Intrusion Detection Dataset (CIDD) is used as a source for cloud audits data. The evaluation has considered alternative deployment models through our two intrusion detection frameworks, CIDS and CIDS-VIRT. The paper also shows that the proposed detection approaches are more accurate and outperform the SWAD-MMD, a recent masquerade detection framework that works in the cloud computing systems. Furthermore, the paper details our experimental results and evaluates the computational performance and the detection accuracy of these approaches.

Published

2021

33. Anomaly detection in NetFlow network traffic using supervised machine learning algorithms

Author

Fosić, Igor, Žagar, Drago, Grgić, Krešimir, and Križanović, Višnja

Subjects

supervised algorithm, machine learning, anomaly classification, NetFlow, imbalanced dataset, Information Systems and Management, Industrial and Manufacturing Engineering

Abstract

Anomaly detection is an important method for monitoring network traffic where is important to successfully distinguish normal traffic from abnormal traffic. For this purpose, one could use the existing classification algorithms as a part of the machine learning (ML) process. In this paper, some of the classification algorithms (Stochastic Gradient Descent (SGD), Support Vector Machines (SVM), K-Nearest Neighbor (K-NN), Gaussian Naive Bayes (GNB), Decision Tree (DT), Random Forest (RF), AdaBoost (AB)) were tested on the public UNSW-NB15 dataset. Different encoding methods and ratios of training and test data resulted in the optimal parameters classifiers. Due to the imbalanced distribution of normal and abnormal network traffic data, both standard performance scores and additional classification performance scores (F2-score, Area Under ROC Curve (AUC)) were used, that better describe the obtained results. The RF Classifier with F2-score = 97.68% and AUC score = 98.47% obtained the best results using a representative subset within the original dataset due to the shorter duration of the computations. Features in the referential dataset were reduced by 82% and selected following the structure of the NetFlow data stream. Concerning similar studies, this paper compares several algorithms for anomaly detection and selects the best one for NetFlow data streams. The F2 and AUC metric is applied, which achieves very high accuracy compared to classic metrics that do not show realistic accuracy in imbalanced datasets. Less time was spent using Label enoding (LE) with the same accuracy compared to One-hot (OH) encoding used in similar research. The novelty introduced by this paper is in the optimization of the ML process and influence of the ratio of data for learning and testing, different encoding methods of categorical features, and feature reduction on the Netflow data streams

Published

2023

34. Cyberattack detection model using deep learning in a network log system with data visualization

Author

Chao-Tung Yang, Wei-Je Jiang, Endah Kristiani, Jung-Chun Liu, and Yu-Wei Chan

Subjects

Artificial neural network, business.industry, Event (computing), Network packet, Computer science, Deep learning, Construct (python library), computer.software_genre, Theoretical Computer Science, Data visualization, Recurrent neural network, Hardware and Architecture, NetFlow, Artificial intelligence, Data mining, business, computer, Software, Information Systems

Abstract

Network log data is significant for network administrators, since it contains information on every event that occurs in a network, including system errors, alerts, and packets sending statuses. Effectively analyzing large volumes of diverse log data brings opportunities to identify issues before they become problems and to prevent future cyberattacks; however, processing of the diverse NetFlow data poses challenges such as volume, velocity, and veracity of log data. In this study, by means of Elasticsearch, Logstash, and Kibana, i.e., the ELK Stack, we construct an analysis and management system for network log data, which provides functions to filter, analyze, and display network log data for further applications and creates data visualization on a Web browser. In addition, an advanced cyberattack detection model is facilitated using deep neural network (DNN), recurrent neural networks (RNN), and long short-term memory (LSTM) approaches. By knowing cyberattack behaviors and cross-validating with the log analysis system, one can learn from this model the characteristics of a variety of cyberattacks. Finally, we also implement Grafana to perform metrics monitoring.

Published

2021

35. Host Behavior in Computer Network: One-Year Study

Author

Tomas Jirsik and Petr Velan

Subjects

Profiling (computer programming), Computer Networks and Communications, business.industry, Computer science, 020206 networking & telecommunications, 02 engineering and technology, computer.software_genre, Network management, Network measurement, NetFlow, 0202 electrical engineering, electronic engineering, information engineering, Key (cryptography), Use case, Data mining, Electrical and Electronic Engineering, business, Cluster analysis, Host (network), computer

Abstract

An analysis of a host behavior is an essential key for modern network management and security. A robust behavior profile enables the network managers to detect anomalies with high accuracy, predict the host behavior, or group host to clusters for better management. Hence, host profiling methods attract the interest of many researchers, and novel methods for host profiling are being introduced. However, these methods are frequently developed on preprocessed and small datasets. Therefore, they do not reflect the real-world artifacts of the host profiling, such as missing observations, temporal patterns, or variability in the profile characteristics in time. To provide the needed insight into the artifacts of host profiling in real-world settings, we present a study of the host behavior in a network conducted on a one-year-long real-world network dataset. In the study, we inspect the availability of the data for host profiling, identify the temporal patterns in host behavior, introduce a method for stable labeling of the hosts, and assess the variability of the host characteristics in the course of the year using the coefficient of variance. Moreover, we make the one-year dataset containing nine characteristics used for host behavior analysis available for public use and further research, including selected use cases representing host profiling caveats. We also share the record of analysis presented in the paper.

Published

2021

36. Self-supervised network traffic management for DDoS mitigation within the ISP domain

Author

Desmond Chambers, Ili Ko, and Enda Barrett

Subjects

Dynamic network analysis, business.product_category, Computer Networks and Communications, business.industry, Computer science, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, 020206 networking & telecommunications, Denial-of-service attack, 02 engineering and technology, Service provider, UDP flood attack, DDoS mitigation, Internet Control Message Protocol, Egress filtering, Hardware and Architecture, NetFlow, 0202 electrical engineering, electronic engineering, information engineering, Internet access, 020201 artificial intelligence & image processing, The Internet, business, Software, Computer network

Abstract

The continuing development of 5G technology increases the number of devices connected to the internet, this provides an increasing potential for cybercriminals to orchestrate detrimental Distributed Denial of Service (DDoS) attacks. The research community continues to develop new techniques to respond to the growing demand for DDoS mitigation. The internet service provider (ISP) provides internet access for users, so the attack traffic arrives at this location before reaching the victim. Deploying the mitigation system within the ISP domain offers an efficient solution. Therefore, we propose a dynamic network traffic managing (DNTM) system, which encompasses an Attack Detector, an IP Prioritiser, a Traffic Manager, and a Netflow Classifier, for the ISP. The IP prioritiser categorises IP addresses into normal and suspicious classes. The Traffic Manager makes use of the existing ISP mechanisms including ingress & egress filtering, rate limiting, blackholing and normal routing to take different mitigation actions. The Netflow Classifier is a hybrid ensemble model that utilises both unsupervised and supervised learning techniques. The classifier employs two self-organising maps (SOMs) to label data to train a supervised ensemble unit, which includes Random Forests, Decision Trees, and Gradient Boosted Trees (SRDG), to get the final classification. The Netflow Classifier achieved over 96% average on recall, precision and F1 score on UDP flood, ICMP flood and TCP flood attack data sets.

Published

2020

37. Refined Detection of SSH Brute-Force Attackers Using Machine Learning

Author

Tomas Cejka, Tomas Benes, Karel Hynek, Hana Kubatova, Faculty of Information Technology [Prague] (FIT CTU), Czech Technical University in Prague (CTU), CESNET [Prague], Czech Academy of Sciences [Prague] (CAS), Marko Hölbl, Kai Rannenberg, Tatjana Welzer, and TC 11

Subjects

050101 languages & linguistics, Traffic analysis, Monitoring, Computer science, Decision tree, Network, 02 engineering and technology, Brute-force, Machine learning, computer.software_genre, Article, Brute force, Server, NetFlow, 0202 electrical engineering, electronic engineering, information engineering, 0501 psychology and cognitive sciences, [INFO]Computer Science [cs], AdaBoost, SSH, Malicious, business.industry, Flow, 05 social sciences, Attack, Classification, Security, 020201 artificial intelligence & image processing, Artificial intelligence, Focus (optics), business, Host (network), computer

Abstract

Part 2: Connection Security; International audience; This paper presents a novel approach to detect SSH brute-force (BF) attacks in high-speed networks. Contrary to host-based approaches, we focus on network traffic analysis to identify attackers. Recent papers describe how to detect BF attacks using pure NetFlow data. However, our evaluation shows significant false-positive (FP) results of the current solution. To overcome the issue of high FP rate, we propose a machine learning (ML) approach to detection using specially extended IP Flows. The contributions of this paper are a new dataset from real environment, experimentally selected ML method, which performs with high accuracy and low FP rate, and an architecture of the detection system. The dataset for training was created using extensive evaluation of captured real traffic, manually prepared legitimate SSH traffic with characteristics similar to BF attacks, and, finally, using a packet trace with SSH logs from real production servers.

Published

2020

38. Hybrid Botnet Detection Based on Host and Network Analysis

Author

Suzan Almutairi, Jalal S. Alowibdi, Sultan Almutairi, and Saoucene Mahfoudh

Subjects

Software_OPERATINGSYSTEMS, Article Subject, Computer Networks and Communications, business.industry, Computer science, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Botnet, 020206 networking & telecommunications, Denial-of-service attack, QA75.5-76.95, 02 engineering and technology, Spamming, ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Electronic computers. Computer science, NetFlow, 0202 electrical engineering, electronic engineering, information engineering, Command and control, 020201 artificial intelligence & image processing, False positive rate, business, Host (network), Information Systems, Network analysis, Computer network

Abstract

Botnet is one of the most dangerous cyber-security issues. The botnet infects unprotected machines and keeps track of the communication with the command and control server to send and receive malicious commands. The attacker uses botnet to initiate dangerous attacks such as DDoS, fishing, data stealing, and spamming. The size of the botnet is usually very large, and millions of infected hosts may belong to it. In this paper, we addressed the problem of botnet detection based on network’s flows records and activities in the host. Thus, we propose a general technique capable of detecting new botnets in early phase. Our technique is implemented in both sides: host side and network side. The botnet communication traffic we are interested in includes HTTP, P2P, IRC, and DNS using IP fluxing. HANABot algorithm is proposed to preprocess and extract features to distinguish the botnet behavior from the legitimate behavior. We evaluate our solution using a collection of real datasets (malicious and legitimate). Our experiment shows a high level of accuracy and a low false positive rate. Furthermore, a comparison between some existing approaches was given, focusing on specific features and performance. The proposed technique outperforms some of the presented approaches in terms of accurately detecting botnet flow records within Netflow traces.

Published

2020

39. NetFlow Monitoring and Cyberattack Detection Using Deep Learning With Ceph

Author

Ilsun You, Giovanni Pau, Chao-Tung Yang, Endah Kristiani, Jung-Chun Liu, and Ming-Lun Liu

Subjects

Router, General Computer Science, Computer science, 02 engineering and technology, computer.software_genre, netflow log, NetFlow, Distributed data store, 0202 electrical engineering, electronic engineering, information engineering, General Materials Science, Data storage, computer.programming_language, 020203 distributed computing, Artificial neural network, ceph, business.industry, Deep learning, General Engineering, deep learning, Python (programming language), Identifier, cyberattack, Scalability, 020201 artificial intelligence & image processing, Artificial intelligence, Data mining, lcsh:Electrical engineering. Electronics. Nuclear engineering, business, computer, lcsh:TK1-9971

Abstract

Figuring the network’s hidden abnormal behavior can reduce network vulnerability. This paper presents a detailed architecture in which the collected log data of the network can be processed and analyzed. We process and integrate on-campus network information from every router and store the integrated NetFlow log data. Ceph is used as an open-source distributed storage platform that offers high efficiency, high reliability, scalability, and preliminary preprocessing of raw data with Python, removing redundant areas and unification. In the subanalysis, we discover the anomaly event and absolute flow by three times of standard deviation rule. Keras has been used to classify in-time data collected via a cyber-attack and to construct an automatic identifier template through the Recurring Neural Network (RNN) test. The identification accuracy of the optimization model is around 98% in attack detection. Finally, in the MySQL server, the results of the real-time evaluation can be obtained, and the results of the assessment can be displayed via ECharts.

Published

2020

40. Owleyes: A Visual Analytics System for Functions and Connection Patterns of IPv4 Addresses in Networks

Author

Yan Yan, Lingjun He, Li Liu, Tao Yang, Wenhua Hou, Hong Xiang, Xiaofeng Xia, and Haibo Hu

Subjects

Visual analytics, sunburst-hiveplot graph, General Computer Science, Basic dimension, Network security, business.industry, computer.internet_protocol, Computer science, General Engineering, user-centric interaction, computer.software_genre, IPv4, Data type, Visualization, NetFlow, network security, link wheel graph, Interval (graph theory), General Materials Science, lcsh:Electrical engineering. Electronics. Nuclear engineering, Data mining, business, lcsh:TK1-9971, computer

Abstract

Netflow log files commonly contain massive transfer records in tiny time interval, making analytical works complex and burdensome. By combining human cognition abilities with computerized techniques, visual analytics systems have become efficient tools for showing network states and locating abnormal behaviors. However, traditional visual analytics systems tend to be designed for solving certain problems and unable to synthesize various types of data sources. Despite recent advances in network security visualization, academia still starves for a proper solution to visualize IPv4 address behavior modes and IPv4 connection patterns within limited drawing space. Thus, we propose a visual analytics system called `Owleyes' which reprocesses Netflow log data with simple statistical operations in basic dimensions and fulfills the aforementioned requirements with proper novel graphs such as `sunburst-hive-plot graph' (SHG) and link-wheel graph (LW). The SHG provides a stable and comparable means of visualizing connection patterns efficiently in a limited drawing space. The LW represents the hourly connection counts of main ports in a specific IPv4 connection during one day. With the use case dealing with the ChinaVis 2016 Challenge I data, the efficiency and practicability of Owleyes are demonstrated.

Published

2020

41. A study on the use of 3rd party DNS resolvers for malware filtering or censorship circumvention

Author

Andersen, Martin Fejrskov, Vasilomanolakis, Emmanouil, Pedersen, Jens Myrup, Meng, Weizhi, Fischer-Hübner, Simone, and Jensen, Christian D.

Subjects

DNS, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, NetFlow, ISP, censorship, filtering, Resolver

Abstract

DNS resolvers perform the essential role of translating domain names into IP addresses. The default DNS resolver offered by an Internet Service Provider (ISP) can be undesirable for a number of reasons such as censorship, lack of malware filtering options and low service quality. In this paper, we propose a novel method for estimating the amount of DNS traffic directed at non-ISP resolvers by using DNS and NetFlow data from an ISP. This method is extended to also estimate the amount of DNS traffic towards resolvers that offer malware filtering or parental control functionality. Finally, we propose a novel method for estimating the amount of DNS traffic at non-ISP resolvers that would have been censored by ISP resolvers. The results of applying these methods on an ISP dataset shows to which extent 3rd party resolvers are chosen by users for either malware filtering or censorship circumvention purposes. DNS resolvers perform the essential role of translating domain names into IP addresses. The default DNS resolver offered by an Internet Service Provider (ISP) can be undesirable for a number of reasons such as censorship, lack of malware filtering options and low service quality. In this paper, we propose a novel method for estimating the amount of DNS traffic directed at non-ISP resolvers by using DNS and NetFlow data from an ISP. This method is extended to also estimate the amount of DNS traffic towards resolvers that offer malware filtering or parental control functionality. Finally, we propose a novel method for estimating the amount of DNS traffic at non-ISP resolvers that would have been censored by ISP resolvers. The results of applying these methods on an ISP dataset shows to which extent 3rd party resolvers are chosen by users for either malware filtering or censorship circumvention purposes.

Published

2022

42. Fast application-level traffic classification using NetFlow records

Author

Liang CHEN and Jian GONG

Subjects

computer system architecture, traffic classification, NetFlow, correlation coefficient, feature selection, Bayes discrimination, Telecommunication, TK5101-6720

Abstract

In order to improve the performance and reduce the resources usage of application-level traffic classification,a novel fast application-level traffic classification(FATC) algorithm using IP flow record from NetFlow as input was presented.FATC adopted metric selection algorithm based on correlation coefficient to measure the correlation among flow metric variables,and deleted the irrelevant or redundant metrics,then used Bayes discrimination to classify network traffic to the application category that of smallest misjudge loss.The theoretical analysis and experimental results show that,with more than 95% accuracy,the FATC algorithm greatl reduces the time and space complexity of current application-level traffic classification algorithms during the training and classification processes,and can work efficiently on 10Gbit/s backbone network in real time.

Published

2012

43. Using NetFlow to measure the impact of deploying DNS-based blacklists

Author

Andersen, Martin Fejrskov, Pedersen, Jens Myrup, Vasilomanolakis, Emmanouil, Garcia-Alfaro, Joaquin, Li, Shujun, Poovendran, Radha, Debar, Hervé, and Yung, Moti

Subjects

ComputingMilieux_MANAGEMENTOFCOMPUTINGANDINFORMATIONSYSTEMS, Software_OPERATINGSYSTEMS, ComputingMethodologies_PATTERNRECOGNITION, Ipfix, DNS, InformationSystems_INFORMATIONSYSTEMSAPPLICATIONS, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Netflow, RBL, ISP, Blacklist, Threat intelligence

Abstract

To prevent user exposure to a wide range of cyber security threats, organizations and companies often resort to deploying blacklists in DNS resolvers or DNS firewalls. The impact of such a deployment is often measured by comparing the coverage of individual blacklists, by counting the number of blocked DNS requests, or by counting the number of flows redirected to a benign web page that contains a warning to the user. This paper suggests an alternative to this by using NetFlow data to measure the effect of a DNS-based blacklist deployment. Our findings suggest that only 38-40% of blacklisted flows are web traffic. Furthermore, the paper analyzes the flows blacklisted by IP address, and it is shown that the majority of these are potentially benign, such as flows towards a web server hosting both benign and malicious sites. Finally, the flows blacklisted by domain name are categorized as either spam or malware, and it is shown that less than 6% are considered malicious. To prevent user exposure to a wide range of cyber security threats, organizations and companies often resort to deploying blacklists in DNS resolvers or DNS firewalls. The impact of such a deployment is often measured by comparing the coverage of individual blacklists, by counting the number of blocked DNS requests, or by counting the number of flows redirected to a benign web page that contains a warning to the user. This paper suggests an alternative to this by using NetFlow data to measure the effect of a DNS-based blacklist deployment. Our findings suggest that only 38-40% of blacklisted flows are web traffic. Furthermore, the paper analyzes the flows blacklisted by IP address, and it is shown that the majority of these are potentially benign, such as flows towards a web server hosting both benign and malicious sites. Finally, the flows blacklisted by domain name are categorized as either spam or malware, and it is shown that less than 6% are considered malicious.

Published

2021

44. How to Effectively Collect and Process Network Data for Intrusion Detection?

Author

Rafał Kozik, Witold Hołubowicz, Michał Choraś, Marek Pawlicki, and Mikołaj Komisarek

Subjects

Computer science, Science, QC1-999, General Physics and Astronomy, Feature selection, 02 engineering and technology, Intrusion detection system, USable, computer.software_genre, Astrophysics, Article, Set (abstract data type), feature selection, NetFlow, 0202 electrical engineering, electronic engineering, information engineering, data quality, Physics, Process (computing), 020206 networking & telecommunications, QB460-466, Data quality, Benchmark (computing), network behavior analysis, 020201 artificial intelligence & image processing, Data mining, computer, network intrusion detection

Abstract

The number of security breaches in the cyberspace is on the rise. This threat is met with intensive work in the intrusion detection research community. To keep the defensive mechanisms up to date and relevant, realistic network traffic datasets are needed. The use of flow-based data for machine-learning-based network intrusion detection is a promising direction for intrusion detection systems. However, many contemporary benchmark datasets do not contain features that are usable in the wild. The main contribution of this work is to cover the research gap related to identifying and investigating valuable features in the NetFlow schema that allow for effective, machine-learning-based network intrusion detection in the real world. To achieve this goal, several feature selection techniques have been applied on five flow-based network intrusion detection datasets, establishing an informative flow-based feature set. The authors’ experience with the deployment of this kind of system shows that to close the research-to-market gap, and to perform actual real-world application of machine-learning-based intrusion detection, a set of labeled data from the end-user has to be collected. This research aims at establishing the appropriate, minimal amount of data that is sufficient to effectively train machine learning algorithms in intrusion detection. The results show that a set of 10 features and a small amount of data is enough for the final model to perform very well.

Published

2021

45. Research and implement on segmenting storage model of netflow

Author

WU Guang-jun, YUN Xiao-chun, YU Xiang-zhan, and WANG Shu-peng

Subjects

netflow, netflow storage, netflow spanning tree, multi-level index, Telecommunication, TK5101-6720

Abstract

A new model was proposed to maintain sequence and ownership of netflow.This model adopted weak se-quence-based high speed data structure in memory to improve real time storage ability.In the disc level a multi-level in-dex data netflow spanning tree was proposed to improve sequence and ownership retrieval efficiency.The performance of evaluation exposes that the storage model of netflow can improve real-time storage ability and decrease the quantities of index data dramatically.

Published

2007

46. COLETA, TRATAMENTO E ARMAZENAMENTO DE FLUXOS NO PADRÃO NETFLOW.

Author

Ruiz, Vitor and Sapia, Helton

Abstract

This work presents a tool that collect, store and allows a posterior analysis of the flows, in the NetFlow standard. Due to increasing number of connected devices and access to the Internet, the traffic density over networks have also increased greatly. To ensure safety, it must be possible to identify adverse events to the network environment. Traditional analytical methods used to capture packets, which is computationally infeasible in some cases (when the amount of traffic is very large, for example), the collection using flows is most suitable in these cases. This work aims at the development of an application that collects, treats and stores flows, in the Netflow standard. The flows are collected using a UDP socket, with a Gateway (OpenBSD) assistance and stored in a MySQL database. [ABSTRACT FROM AUTHOR]

Published

2016

47. A personalized approach for communicating found anomalies in Netflow data to end-users

Author

de Hoog, Dion (author) and de Hoog, Dion (author)

Abstract

In this research, we use different supervised and unsupervised machine learning techniques to detect anomalies in NetFlow data. We aim to create a system for home or small-business use where the user is in control. We use WEKA for the machine learning models and feature selection. The UGR’16 dataset is used to train and test the models. We create three different models for each method where the model is trained on one day and tested on another. We find that supervised models perform better than unsupervised ones. Random Forest has the highest F1-score (0.9165) of the supervised models. However, Random Forest is statistically similar to 6 out of 8 different classifiers according to the Friedman and Nemenyi tests. One challenge with supervised methods is that there is a need for a third party to make sure the models are updated for new attacks. However, it seems feasible to create a system for network monitoring for home usage. Finally, we argue that the approach to research in machine learning should, in some cases, take a different direction. Instead of chasing the highest accuracy, we should look at which factors allow a user to work with a system. A set of rules is much easier to interpret than complex models. Especially if these models are statistically similar we could look at factors other than a single metric. After these results, we look at presenting warning messages to end-users. We want to motivate users to take action after they read a message. For this, we first create a theoretical framework based on behaviour, motivation and uncertainties. We want to find out if we can use uncertainties to group users, which allows us to create a semi-personal approach. Based on this theoretical framework, we create different versions of a warning message that focus on different uncertainties. Through 22 interviews, we asked the participants to rank the different versions and asked them questions about their stance on network security and preferences for warning messag, degree of Master of Science in Computer Science & Science Communication, Computer Science

Published

2021

48. Research of Typical Information Objects Traffic

Author

Luiza Korganbaeva, Maria Nikolaeva, Alexey Ermakov, and Vadim Goykhman

Subjects

traffic, flows, lcsh:T, lcsh:Mechanical engineering and machinery, ComputerSystemsOrganization_COMPUTER-COMMUNICATIONNETWORKS, Netflow, General Medicine, lcsh:Technology, lcsh:TD1-1066, lcsh:TA1-2040, packets, lcsh:Manufactures, lcsh:TJ1-1570, lcsh:Environmental technology. Sanitary engineering, TCP session, lcsh:Engineering (General). Civil engineering (General), lcsh:TS1-2301

Abstract

The article considers network traffic as an aggregation of information flows from typical information objects, which can be apartment buildings, student campuses, office centers, sports and entertainment facilities of general use, etc. The study showed that the amount of information transferred by the TCP protocol significantly exceeds (by orders of magnitude) the amount of information transferred by the UDP protocol, which illustrates the average daily traffic graph of the amount of information transferred by the TCP and UDP protocols. Methods of traffic analysis are considered, the most significant characteristics of traffic are determined.

Published

2019

49. On construction of a network log management system using ELK Stack with Ceph

Author

Geyong Min, Wei-Je Jiang, Chao-Tung Yang, Yuan-Ting Wang, Ching-Han Lai, and Endah Kristiani

Subjects

File system, 020203 distributed computing, Database, Computer science, 02 engineering and technology, computer.software_genre, Theoretical Computer Science, Stack (abstract data type), Hardware and Architecture, Backup, Default gateway, Distributed data store, NetFlow, 0202 electrical engineering, electronic engineering, information engineering, Log management, computer, Software, Information Systems

Abstract

A log management system is essential for the networks administrator. With a log management tool, we can collect, store, analyze, archive, and finally dispose of the log information. In this paper, we propose the architecture model of a log management system using ELK Stack with Ceph to provide a safe network, good Wi-Fi signal strength, and adequate backup data mechanism. In this case, we use our campus data of Wi-Fi log and NetFlow log. First, we collect and store data of our Wi-Fi log using Filebeats tool, and then, we use Elasticsearch, Logstash, and Kibana Stack to visualize the Wi-Fi log data. Second, we collect and store our NetFlow log using NFDUMP, and then, we also use ELK Stack to visualize the NetFlow log data. Third, we integrate the Wi-Fi log and NetFlow log data in one architecture using a distributed storage Ceph file system (CephFS). Moreover, we also compare the performance of RADOS Gateway and CephFS for better storage mechanism.

Published

2019

50. Understanding flows in high-speed scientific networks: A Netflow data study

Author

Mariam Kiran and Anshuman Chhabra

Subjects

Scientific networks, Computer Networks and Communications, Computer science, Initialization, 020206 networking & telecommunications, 02 engineering and technology, computer.software_genre, Mixture model, Workflow, Hardware and Architecture, NetFlow, 0202 electrical engineering, electronic engineering, information engineering, 020201 artificial intelligence & image processing, Data mining, computer, Software

Abstract

Complex science workflows involve very large data demands and resource-intensive computations. These demands need reliable high-speed networks, that can optimize performance for application data flows. Characterizing flows into large flows (elephant) versus small flows (mice) can allow networks to optimize performance by detecting and handling demands in real-time. However, predicting elephant versus mice flows is extremely difficult as their definition varies based on networks. Machine learning techniques can help classify flows into two distinct clusters to identify characteristics of transfers. In this paper, we investigate unsupervised and semi-supervised machine learning approaches to classify flows in real time. We develop a Gaussian Mixture Model combined with an initialization algorithm, to develop a novel general-purpose method to help classification based on network sites (in terms of data transfers, flow rates and durations). Our results show that the proposed algorithm is able to cluster elephants and mice with an accuracy rate of 90%. We analyzed NetFlow reports of 1 month from 3 ESnet site routers to train the model and predict clusters.

Published

2019