University of Twente Student Theses


Towards applications’ fingerprinting through the usage of NetFlow/IPFIX technology

Vuolo, M.R. (2024) Towards applications’ fingerprinting through the usage of NetFlow/IPFIX technology.

[img] PDF
Abstract:Flow monitoring has become an increasingly prevalent method for monitoring traffic in enterprises mainly due to its performance and scalability. We present a system that detects anomalous outbound HTTP communications, which exploits the advantages of NetFlow/IPFIX technology to passively extract fingerprints for each application running on a host. The aim of our work is to identify the most discriminative features within an IPFIX system to identify both the application types and detect fingerprints from anomalous communications. We evaluate our prototype with real-world data from an international organisation and a dataset of traffic generated from malware and show that it can detect malicious traffic with an accuracy of 98.6% and a recall of 91.6% for 246 monitored host machines. We compare our solution with DECANTeR [6], the current state-of-the-art application fingerprint approach, which detects anomalous outbound HTTP traffic independently from their payload without using malicious data during the training phase. The results show how our approach is a good alternative, in terms of detection rate and resources required in detecting malicious traffic. This capability is further demonstrated in an analysis of the dataset composed of malicious traffic, where our system detected malicious traffic in 99,06% of the cases.
Item Type:Essay (Master)
Faculty:EEMCS: Electrical Engineering, Mathematics and Computer Science
Subject:54 computer science
Programme:Computer Science MSc (60300)
Link to this item:
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page