Conference paper

HOFSTEDE Rick, BARTOŠ Václav, SPEROTTO Anna and PRAS Aiko. Towards Real-Time Intrusion Detection for NetFlow and IPFIX. In: Proceedings of the 9th International Conference on Network and Service Management. Zürich: International Federation for Information Processing, 2013, pp. 1-6. ISBN 978-3-901882-53-1. Available from: http://www.cnsm-conf.org/2013/documents/papers/CNSM/p227-hofstede.pdf
Publication language:english
Original title:Towards Real-Time Intrusion Detection for NetFlow and IPFIX
Title (cs):Detekce průniků v reálném čase pro NetFlow a IPFIX
Pages:1-6
Proceedings:Proceedings of the 9th International Conference on Network and Service Management
Conference:9th International Conference on Network and Service Management
Place:Zürich, CH
Year:2013
URL:http://www.cnsm-conf.org/2013/documents/papers/CNSM/p227-hofstede.pdf
ISBN:978-3-901882-53-1
Publisher:International Federation for Information Processing
Files: 
+Type Name Title Size Last modified
iconcnsm13_realtime_intrusion_detection.pdf707 KB2014-01-03 09:01:28
^ Select all
With selected:
Keywords
Internet measurements, Denial of service, Intrusion
detection, NetFlow, IPFIX, Flow monitoring
Annotation
DDoS attacks bring serious economic and technical damage to networks and enterprises. Timely detection and mitigation are therefore of great importance. However, when flow monitoring systems are used for intrusion detection, as it is often the case in campus, enterprise and backbone networks, timely data analysis is constrained by the architecture of NetFlow and IPFIX. In their current architecture, the analysis is performed after certain timeouts, which generally delays the intrusion detection for several minutes. This paper presents a functional extension for both NetFlow and IPFIX flow exporters, to allow for timely intrusion detection and mitigation of large flooding attacks. The contribution of this paper is threefold. First, we integrate a lightweight intrusion detection module into a flow exporter, which moves detection closer to the traffic observation point. Second, our approach mitigates attacks in near real-time by instructing firewalls to filter malicious traffic. Third, we filter flow data of malicious traffic to prevent flow collectors from overload. We validate our approach by means of a prototype that has been deployed on a backbone link of the Czech national research and education network CESNET.
BibTeX:
@INPROCEEDINGS{
   author = {Rick Hofstede and V{\'{a}}clav Barto{\v{s}} and Anna
	Sperotto and Aiko Pras},
   title = {Towards Real-Time Intrusion Detection for NetFlow and IPFIX},
   pages = {1--6},
   booktitle = {Proceedings of the 9th International Conference on Network
	and Service Management},
   year = {2013},
   location = {Z{\"{u}}rich, CH},
   publisher = {International Federation for Information Processing},
   ISBN = {978-3-901882-53-1},
   language = {english},
   url = {http://www.fit.vutbr.cz/research/view_pub.php.en.iso-8859-2?id=10111}
}

Your IPv4 address: 54.234.255.29
Switch to IPv6 connection

DNSSEC [dnssec]