As networks have grown, so has the data available for monitoring and security purposes. This increase in volume has raised significant challenges for administrators in terms of how to identify threats in amongst the large volumes of network traffic, a large part of which is often background noise. In this paper we propose a framework for scoring and coding NetFlow data with security related information. The scores and codes are added through the application of a series of independent tests, each of which may flag some form of suspicious behaviour. The cumulative effect of the scoring and coding raises the more serious potential threats to the fore, allowing for quick and effective investigation or action. The framework is presented along with a description of an implementation and some findings that uncover potentially malicious network traffic.
Reference:
Sweeney, M. and Irwin, B.V.W. 2017. A netFlow scoring framework for incident detection. Southern Africa Telecommunication Networks and Applications Conference (SATNAC) 2017, 3 - 10 September 2017, Freedom of the Seas, Royal Caribbean International, Barcelona, Spain
Sweeney, M., & Irwin, B. V. (2017). A netFlow scoring framework for incident detection. http://hdl.handle.net/10204/9693
Sweeney, M, and Barry VW Irwin. "A netFlow scoring framework for incident detection." (2017): http://hdl.handle.net/10204/9693
Sweeney M, Irwin BV, A netFlow scoring framework for incident detection; 2017. http://hdl.handle.net/10204/9693 .
Paper presented at Southern Africa Telecommunication Networks and Applications Conference (SATNAC) 2017, 3 - 10 September 2017, Freedom of the Seas, Royal Caribbean International, Barcelona, Spain
