Intrusion Detection Using Netflow Traces from a Production Local ISP
Given the increasing volume, and at times complexity, of internet traffic, network security has become a critical challenge. While traditional methods such as Deep Packet Inspection (DPI) offer fine-grained visibility into network behaviour, they are computationally intensive and raise privacy conce...
| Autor: | |
|---|---|
| Tipo de documento: | dissertação |
| Data de publicação: | 2025 |
| País: | España |
| Recursos: | Universitat Politècnica de Catalunya (UPC) |
| Repositório: | UPCommons. Portal del coneixement obert de la UPC |
| Idioma: | inglês |
| OAI Identifier: | oai:upcommons.upc.edu:2117/450205 |
| Acesso em linha: | https://hdl.handle.net/2117/450205 |
| Access Level: | Acceso aberto |
| Palavra-chave: | Machine learning Computer security netflows isp machine-learning cybersecurity nfdump flow intrusion-detection Aprenentatge automàtic Seguretat Informàtica Àrees temàtiques de la UPC::Informàtica::Seguretat informàtica |
| Resumo: | Given the increasing volume, and at times complexity, of internet traffic, network security has become a critical challenge. While traditional methods such as Deep Packet Inspection (DPI) offer fine-grained visibility into network behaviour, they are computationally intensive and raise privacy concerns, making them less suitable for small Internet Service Providers (ISPs). This thesis investigates the use of NetFlow data as a lightweight, privacy-preserving alternative for network traffic analysis and intrusion detection. The study focuses on a local ISP, eXO, and leverages unlabelled NetFlow traces collected over a 21-day period from the main router that connects subscribers to the Internet. In order to analyse traffic patterns, detect potential anomalies and identify connection attempts, a combination of unsupervised machine learning techniques is applied. These include k-means and DBSCAN clustering, with the assistance of a black list. These methods enable the identification of abnormal flows without the need for payload inspection or prior labelling of attack types. Our research indicates that flow-based analysis is effective in identifying suspicious behaviours, with density-based clustering providing a preliminary method for detecting traffic anomalies. However, in order to fully comprehend the nature of the connection, it is necessary to group flows into bidirectional flows. In addition, our research has revealed that TCP and UDP both demonstrate a high volume of scans, connections attempts and noise connections originated outside the ned. This work is composed of two parts. Firstly, a Netflow trace analysis is conducted using a blacklist to ascertain whether the blacklisted IPs are present in the traffic and to gain an initial understanding of the impact generated by connections from these IPs. Secondly, machine learning models are implemented to detect potential malicious traffic. This work demonstrates that NetFlow analysis, when paired with bidirectional flows and machine learning, can serve as a viable alternative to reduce network noise, filter scan attempts and enhance cybersecurity in smaller, resource-constrained network environments. |
|---|