Vol. 1 No. 1 (2015): Proceedings of Botconf 2015
Conference proceedings

Practical Experiences of Building an IPFIX Based Open Source Botnet Detector

Mark Graham
Anglia Ruskin University
Adrian Winckles
Anglia Ruskin University
Erika Sanchez-Velazquez
Anglia Ruskin University

Published 2016-03-07

How to Cite

Graham, M. ., Winckles, A. ., & Sanchez-Velazquez, E. . (2016). Practical Experiences of Building an IPFIX Based Open Source Botnet Detector. The Journal on Cybercrime and Digital Investigations, 1(1), 21-28. https://doi.org/10.18464/cybin.v1i1.7

Download Citation


The academic study of flow-based malware detection has primarily focused on NetFlow v5 and v9. In 2013 IPFIX was ratified as the flow export standard. As part of a larger project to develop protection methods for Cloud Service Providers from botnet threats, this paper considers the challenges involved in designing an open source IPFIX based botnet detection function. This paper describes how these challenges were overcome and presents an open source system built upon Xen hypervisor and Open vSwitch that is able to display botnet traffic within Cloud Service Provider-style virtualised environments. The system utilises Euler property graphs to display suspect “botnestsâ€. The conceptual framework presented provides a vendor-neutral, real-time detection mechanism for monitoring botnet communication traffic within cloud architectures and the Internet of Things.


  1. Cisco Systems NetFlow Services Export Version 9. (2004). Retrieved from http://dx.doi.org/10.17487/rfc3954
  2. Information Model for IP Flow Information Export (IPFIX). (2013). Retrieved from http://dx.doi.org/10.17487/rfc7012
  3. Aitken, P. (2013). Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information. Retrieved from http://dx.doi.org/10.17487/rfc7011
  4. Collins, M. P., & Reiter, M. K. Hit-List Worm Detection and Bot Identification in Large Networks Using Protocol Graphs Lecture Notes in Computer Science (pp. 276-295): Springer Science + Business Media.
  5. Dillon, M., & Winters, T. (2014). Virtualization of Home Network Gateways. Computer, 47(11), 62-65. doi:10.1109/mc.2014.338
  6. Dinita, R.-I., Wilson, G., Winckles, A., Cirstea, M., & Rowsell, T. (2013). A novel autonomous management distributed system for cloud computing environments. Paper presented at the IECON 2013 - 39th Annual Conference of the IEEE Industrial Electronics Society. http://dx.doi.org/10.1109/iecon.2013.6700055
  7. Graham, M., Winckles, A., & Sanchez-Velazquez, E. (2015). Botnet detection within cloud service provider networks using flow protocols. Paper presented at the 2015 IEEE 13th International Conference on Industrial Informatics (INDIN). http://dx.doi.org/10.1109/indin.2015.7281975
  8. Hofstede, R., Celeda, P., Trammell, B., Drago, I., Sadre, R., Sperotto, A., & Pras, A. (2014). Flow Monitoring Explained: From Packet Capture to Data Analysis With NetFlow and IPFIX. IEEE Communications Surveys & Tutorials, 16(4), 2037-2064. doi:10.1109/comst.2014.2321898
  9. Huang, Y.-L., Chen, B., Shih, M.-W., & Lai, C.-Y. (2012). Security Impacts of Virtualization on a Network Testbed. Paper presented at the 2012 IEEE Sixth International Conference on Software Security and Reliability. http://dx.doi.org/10.1109/sere.2012.17
  10. Iliofotou, M., Kim, H.-c., Faloutsos, M., Mitzenmacher, M., Pappu, P., & Varghese, G. (2011). Graption: A graph-based P2P traffic classification framework for the internet backbone. Computer Networks, 55(8), 1909-1920. doi:10.1016/j.comnet.2011.01.020
  11. Jasti, A., Shah, P., Nagaraj, R., & Pendse, R. (2010). Security in multi-tenancy cloud. Paper presented at the 44th Annual 2010 IEEE International Carnahan Conference on Security Technology. http://dx.doi.org/10.1109/ccst.2010.5678682
  12. Lee, Y., Shin, S., Choi, S., & Son, H.-g. (2007). IPv6 Anomaly Traffic Monitoring with IPFIX. Paper presented at the Second International Conference on Internet Monitoring and Protection (ICIMP 2007). http://dx.doi.org/10.1109/icimp.2007.23
  13. Ristenpart, T., Tromer, E., Shacham, H., & Savage, S. (2009). Hey, you, get off of my cloud. Paper presented at the Proceedings of the 16th ACM conference on Computer and communications security - CCS '09. http://dx.doi.org/10.1145/1653662.1653687
  14. Steinberger, J., Schehlmann, L., Abt, S., & Baier, H. (2013). Anomaly Detection and Mitigation at Internet Scale: A Survey Lecture Notes in Computer Science (pp. 49-60): Springer Science + Business Media.
  15. Trammell, B., & Boschi, E. (2008). Bidirectional Flow Export Using IP Flow Information Export (IPFIX). Retrieved from http://dx.doi.org/10.17487/rfc5103
  16. Tsai, H.-Y., Siebenhaar, M., Miede, A., Huang, Y., & Steinmetz, R. (2012). Threat as a Service?: Virtualization's Impact on Cloud Security. IT Professional, 14(1), 32-37. doi:10.1109/mitp.2011.117
  17. Wang, Z., & Lee, R. (2006). Covert and Side Channels Due to Processor Architecture. Paper presented at the 2006 22nd Annual Computer Security Applications Conference (ACSAC'06). http://dx.doi.org/10.1109/acsac.2006.20