MASTERÂ Assignment
Towards Applications’ Fingerprinting through the usage of Netflow/IPfix Technology
Type : Master M-CS
Period: November, 2023 - April, 2024
Student : Vuolo, M.R. (Mario, Student M-CS)
Date Final project: April 19, 2024
Supervisors:
Abstract:
Flow monitoring has become an increasingly prevalent method for monitoring traffic in enterprises mainly due to its performance and scalability. We present a system that detects anomalous outbound HTTP communications, which exploits the advantages of NetFlow/IPFIX technology to passively extract fingerprints for each application running on a host. The aim of our work is to identify the most discriminative features within an IPFIX system to identify both the application types and detect fingerprints from anomalous communications. We evaluate our prototype with real-world data from an international organisation and a dataset of traffic generated from malware and show that it can detect malicious traffic with an accuracy of 98.6% and a recall of 91.6% for 246 monitored host machines. We compare our solution with DECANTeR [6], the current state-of-the-art application fingerprint approach, which detects anomalous outbound HTTP traffic independently from their payload without using malicious data during the training phase. The results show how our approach is a good alternative, in terms of detection rate and resources required in detecting malicious traffic. This capability is further demonstrated in an analysis of the dataset composed of malicious traffic, where our system detected malicious traffic in 99,06% of the cases.