Using NetFlow to Analyze Usage and Anomalies in Large Network

Zhong, Ming-Xun

08 September 2004

NetFlow is a de facto protocol to export information about IP flow from network device. In this paper, we describe the modification to the famous open source software Flow-tools which let it has the ability to process the large NetFlow data under reasonable time and resource in the first part. In second part, we propose a series network usage and anomalies analysis methods, using TANet as example. These analyses are useful for capacity planning, peering, security, usage policy enacting.

Netflow

Traffic Analyze

Detekce provozu Skype pomocí dat NetFlow / Identifying Skype Traffic Using NetFlow Data

Šebeň, Patrik

January 2012

NetFlow is a network protocol commonly used for collectiong IP traffic information. But there is a way to use this collected data for indentifying clients in Skype communication. This paper describes identifiable patterns in Skype protocol and how to find them in NetFlow data. This way we can identify nodes and supernodes in Skype network.

supernóda; supernode; NetFlow; Skype

BotFlowMon: Identify Social Bot Traffic With NetFlow and Machine Learning

Feng, Yebo

06 September 2018

With the rapid development of online social networks (OSN), maintaining the security of social media ecosystems becomes dramatically important for public. Among all the security threats in OSN, malicious social bot is the most common risk factor. This paper puts forward a detection method called BotFlowMon that only utilize NetFlow data to identify OSN bot traffic. The detection procedure takes the raw NetFlow data as input and use DBSCAN algorithm to aggregate related flows into transaction level data. Then a special data fusion technique along with a visualization method are proposed to extract features, normalize values and help analyzing flows. A new clustering algorithm called Clustering Based on Density Sort and Valley Point Competition is also designed to subdivide transactions into basic operations. After the above preprocessing steps, some classic machine learning algorithms are applied to construct the classification model. / 2020-09-06

Machine learning

NetFlow

Social bot

Aplikační rozhraní pro práci s netflow daty / Netflow Data Application Interface

Šoltés, Miroslav

January 2013

This diploma thesis deals with design and implementation of NetFlow data manipulation tool. It contains analysis of IP Flow network monitoring, description of nfdump tool and format of Netflow v9 records saved by nfdump. The focus of this application interface lies in effective manipulation with NetFlow records.

Denial of Service Traceback: an Ant-Based Approach

Yang, Chia-Ru

14 July 2005

The Denial-of-Service (DoS) attacks with the source IP address spoofing techniques has become a major threat to the Internet. An intrusion detection system is often used to detect DoS attacks and to coordinate with the firewall to block them. However, DoS attack packets consume and may exhaust all the resources, causing degrading network performance or, even worse, network breakdown. A proactive approach to DoS attacks is allocating the original attack host(s) issuing the attacks and stopping the malicious traffic, instead of wasting resources on the attack traffic. In this research, an ant-based traceback approach is proposed to identify the DoS attack origin. Instead of creating a new type or function needed by the router or proceeding the high volume, find-grained data, the proposed traceback approach uses flow level information to spot the origin of a DoS attack. Two characteristics of ant algorithm, quick convergence and heuristic, are adopted in the proposed approach on finding the DoS attack path. Quick convergence efficiently finds out the origin of a DoS attack; heuristic gives the solution even though partial flow information is provided by the network. The proposed method is validated and evaluated through the preliminary experiments and simulations generating various network environments by network simulator, NS-2. The simulation results show that the proposed method can successfully and efficiently find the DoS attack path in various simulated network environments, with full and partial flow information provided by the network.

IP traceback

Ant Algorithm

DoS

NetFlow

TUPLE FILTERING IN SILK USING CUCKOO HASHES

Webb, Aaron

25 August 2010

SiLK Tools is a suite of network ?ow tools that network analysts use to detect intru- sions, viruses, worms, and botnets, and to analyze network performance. One tool in SiLK is tuple ?ltering, where ?ows are ?ltered based on inclusion in a “multi-key” set (MKset) whose unique members are composite keys whose values are from multiple ?elds in a SiLK ?ow record. We propose and evaluate a more e?cient method of im- plementing MKset ?ltering that uses cuckoo hashes, which underlie McHugh et al.’s cuckoo bag (cubag) suite of MKset SiLK tools. Our solution improves execution time for ?ltering with an MKset of size k by a factor of O(logk), and decreases memory footprints for MKset ?ltering by 50%. The solution also saves 90% of disk space for MKset ?le storage, and adds functionality for transformations such as subnet masking on ?ow records during MKset ?ltering.

SiLK

NetFlow

network

cuckoo

hash

tuple

Implementación y Evaluación de Sistema de Monitoreo de Seguridad Basado en Flujos de Paquetes IP

Echeverría Sierralta, Francisco de Borja

January 2008

Internet es ampliamente utilizada como medio de comunicación y distribución de información en todo el mundo. La información del tráfico de datos, esto es, información de origen y destino de los paquetes IP, entre las distintas organizaciones, puede aportar información valiosa para la seguridad informática de las mismas. Utilizando la información del tráfico de una red es posible identificar comportamientos de software maliciosos o “malware”. Por ejemplo, una máquina infectada con un gusano (worm) intenta contagiar a un grupo de máquinas a través del tráfico IP. En este caso el tráfico muestra una gran cantidad de intentos de conexiones a direcciones IP distintas. Aunque ya existen dispositivos de red y sistemas desarrollados para este fin, los sistemas son de carácter privado, funcionan para algunos dispositivos de red o no son fáciles de utilizar. Durante la memoria se diseñó e implementó un sistema para el análisis offline del tráfico IP proveniente de redes distribuidas. El sistema permite recolectar información de flujos IP proveniente de varias redes geográficamente distribuidas y analizar dicha información para identificar comportamientos maliciosos de computadores en dichas redes. Se evaluó el sistema por medio de dos experimentos, el primero destinado a detectar comportamientos producidos por malware sobre el tráfico IP simulado, el segundo evalúa la efectividad del sistema para la detección de malware en un ambiente real al que se inyecta malware simulado. En el transcurso de la memoria se encontró una dificultad con respecto a la traducción de direcciones de red hecha por los routers. Para estudiar este problema se configuró un ambiente distribuido y se hicieron consultas especiales. El sistema desarrollado y los resultados obtenidos dan una base para la creación de nuevos métodos de detección, con el fin de mejorar la seguridad computacional dentro de las organizaciones.

Computación

Red IP

Netflow

Seguridad

Monitoreo

Detekce těžení kryptoměn pomocí analýzy dat o IP tocích / Detection of Cryptocurrency Miners Based on IP Flow Analysis

Šabík, Erik

January 2017

This master’s thesis describes the general information about cryptocurrencies, what principles are used in the process of creation of new coins and why mining cryptocurrencies can be malicious. Further, it discusses what is an IP flow, and how to monitor networks by monitoring network traffic using IP flows. It describes the Nemea framework that is used to build comprehensive system for detecting malicious traffic. It explains how the network data with communications of the cryptocurrencies mining process were obtained and then provides an analysis of this data. Based on this analysis a proposal is created for methods capable of detecting mining cryptocurrencies by using IP flows records. Finally, proposed detection method was evaluated on various networks and the results are further described.

Rozšíření NetFlow záznamů pro zlepšení možností klasifikace šifrovaného provozu / Extending NetFlow Records for Increasing Encrypted Traffic Classification Capabilities

Šuhaj, Peter

January 2020

Master's thesis deals with selection of attributes proper for classification of encrypted traffic, with the extension of NetFlow entries with these attributes and with creating a tool for classify encrypted TLS traffic. The following attributes were selected: size of packets, inter-packet arrival times, number of packets in flow and size of the flow. Selection of attributes was followed by design of extending NetFlow records with these attributes for classifying encrypted traffic. Extension of records was implemented in language C for exporter of the company Flowmon Networks a.s.. Classifier for collector was implemented in language Python. Classifier is based on a model, for which training data were needed. The exporter contains the classifying algorithm too, the place of the classification can be set. The implementation was followed by creation of testing data and evaluation of the accuracy. The speed of the classifier was tested too. In the best case scenario 47% accuracy was achieved.

Interaktivní webové rozhraní pro zobrazení ip flow dat / Interactive Web Interface for IP Flow Data

Salač, Radek

January 2012

This thesis describes development of application for analyzing IP flow data.    The author conducts relative comparison of already existing protocols and tools and studies theirs pro's and con's.    Based on this comparison and features requested by users,    author develops his own application primarly focused on interactive and user-friendly interface for working with IP flow data.