In 2014, we launched our open-access repository which offers full text access to conference proceedings from many of our events including the INC and HAISA series. These papers are free to access and distribute (subject to citing the source).
» Openaccess proceedings » Ninth International Network Conference (INC 2012)
Ninth International Network Conference (INC 2012) |
Title: Towards Efficient and Privacy-Preserving Network-Based Botnet Detection Using Netflow Data
Author(s): Sebasitan Abt, Harald Baier
Reference: pp37-50
Keywords: Botnet detection, network flow data, reference data set, large network operator, privacy
Abstract: Botnets pose a severe threat to the security of Internet-connected hosts and the availability of the Internet's infrastructure. In recent years, botnets have attracted many researchers. As a result, many achievements in studying different botnets' anatomies have been made and approaches to botnet detection have been developed. However, most of these approaches target at botnet detection using raw packet data. While this data provides the most complete view on botnet induced traffic, it usually cannot efficiently be collected at large network nodes transferring multi-Gigabits per second. Additionally, a deep inspection of network packets endangers the users' privacy. In order to solve these problems different detection methods based on Netflow data have been proposed. To contribute to advances in Netflow-based botnet detection research, we first give an overview of currently known approaches and compare their advantages and disadvantages. We then argue that Netflow-based detection requires the availability of a reference data set based on real data and present a modular data collection environment that is able, amongst others, to generate Netflow data at an ISP node. Finally, we present our vision of a future botnet detection framework based on Netflow data.
Download count: 2130
How to get this paper:
PDF copy of this paper is free to download. You may distribute this copy providing you cite this page as the source.