Publication detail

Towards Real-Time Intrusion Detection for NetFlow and IPFIX

HOFSTEDE, R. BARTOŠ, V. SPEROTTO, A. PRAS, A.

Original Title

Towards Real-Time Intrusion Detection for NetFlow and IPFIX

English Title

Towards Real-Time Intrusion Detection for NetFlow and IPFIX

Type

conference paper

Language

en

Original Abstract

DDoS attacks bring serious economic and technical damage to networks and enterprises. Timely detection and mitigation are therefore of great importance. However, when flow monitoring systems are used for intrusion detection, as it is often the case in campus, enterprise and backbone networks, timely data analysis is constrained by the architecture of NetFlow and IPFIX. In their current architecture, the analysis is performed after certain timeouts, which generally delays the intrusion detection for several minutes. This paper presents a functional extension for both NetFlow and IPFIX flow exporters, to allow for timely intrusion detection and mitigation of large flooding attacks. The contribution of this paper is threefold. First, we integrate a  lightweight intrusion detection module into a flow exporter, which moves detection closer to the traffic observation point. Second, our approach mitigates attacks in near real-time by instructing firewalls to filter malicious traffic. Third, we filter flow data of malicious traffic to prevent flow collectors from overload. We validate our approach by means of a prototype that has been deployed on a backbone link of the Czech national research and education network CESNET.

English abstract

DDoS attacks bring serious economic and technical damage to networks and enterprises. Timely detection and mitigation are therefore of great importance. However, when flow monitoring systems are used for intrusion detection, as it is often the case in campus, enterprise and backbone networks, timely data analysis is constrained by the architecture of NetFlow and IPFIX. In their current architecture, the analysis is performed after certain timeouts, which generally delays the intrusion detection for several minutes. This paper presents a functional extension for both NetFlow and IPFIX flow exporters, to allow for timely intrusion detection and mitigation of large flooding attacks. The contribution of this paper is threefold. First, we integrate a  lightweight intrusion detection module into a flow exporter, which moves detection closer to the traffic observation point. Second, our approach mitigates attacks in near real-time by instructing firewalls to filter malicious traffic. Third, we filter flow data of malicious traffic to prevent flow collectors from overload. We validate our approach by means of a prototype that has been deployed on a backbone link of the Czech national research and education network CESNET.

Keywords

Internet measurements, Denial of service, Intrusion detection, NetFlow, IPFIX, Flow monitoring

RIV year

2013

Released

14.10.2013

Publisher

International Federation for Information Processing

Location

Zürich

ISBN

978-3-901882-53-1

Book

Proceedings of the 9th International Conference on Network and Service Management

Edition

NEUVEDEN

Edition number

NEUVEDEN

Pages from

1

Pages to

6

Pages count

6

URL

BibTex


@inproceedings{BUT104510,
  author="Rick {Hofstede} and Václav {Bartoš} and Anna {Sperotto} and Aiko {Pras}",
  title="Towards Real-Time Intrusion Detection for NetFlow and IPFIX",
  annote="DDoS attacks bring serious economic and technical damage to networks and
enterprises. Timely detection and mitigation are therefore of great importance.
However, when flow monitoring systems are used for intrusion detection, as it is
often the case in campus, enterprise and backbone networks, timely data analysis
is constrained by the architecture of NetFlow and IPFIX. In their current
architecture, the analysis is performed after certain timeouts, which generally
delays the intrusion detection for several minutes. This paper presents
a functional extension for both NetFlow and IPFIX flow exporters, to allow for
timely intrusion detection and mitigation of large flooding attacks. The
contribution of this paper is threefold. First, we integrate a  lightweight
intrusion detection module into a flow exporter, which moves detection closer to
the traffic observation point. Second, our approach mitigates attacks in near
real-time by instructing firewalls to filter malicious traffic. Third, we filter
flow data of malicious traffic to prevent flow collectors from overload. We
validate our approach by means of a prototype that has been deployed on
a backbone link of the Czech national research and education network CESNET.",
  address="International Federation for Information Processing",
  booktitle="Proceedings of the 9th International Conference on Network and Service Management",
  chapter="104510",
  edition="NEUVEDEN",
  howpublished="print",
  institution="International Federation for Information Processing",
  year="2013",
  month="october",
  pages="1--6",
  publisher="International Federation for Information Processing",
  type="conference paper"
}