Literature Database Entry


Tobias Limmer and Falko Dressler, "Flow Analysis in the Security Context," Proceedings of 3rd GI SIG SIDAR Graduate Workshop on Reactive Security (SPRING), Mannheim, Germany, August 2008.


Recent statistics in the Internet show high growth rates for computers infected by malicious applications, like so-called bots. These are installed on computers owned by unsuspecting users at home or within poorly maintained networks. A few years ago, malicious applications, particularly worms, propagated by using network-wide scans to detect vulnerable hosts, and infected them afterwards (popular examples are Code Red and Nimda). These scans have been easily detected by network monitoring equipment as often this type of malware exploited known vulnerabilities using the same attack pattern. So payload-based intrusion detection systems like Snort are well suited for the detection of these worms as they used signatures for different exploits to detect traffic belonging to these malicious applications. Later generations of malware did not depend on network-wide scans to detect and infect vulnerable hosts [1]. Instead, they relied on social engineering techniques to persuade users to execute malware, or zero-day client-side vulnerabilities like those found in Internet browsers. Especially these kinds of exploits are not easily distinguishable from normal network traffic. This explains a current trend in security-related monitoring systems: not the exploit of vulnerable systems is being detected but aftereffects of a successful exploit are detected, e.g. installed and active versions of malware generate typical traffic patterns that may be recognized by intrusion detection systems. Another challenge of current network monitoring systems are high data rates in networks that do not allow deep packet inspection to detect traffic patterns. So, available information is often reduced to network flows that offer an aggregated view to the monitored traffic. This type of data offers reduction rates of usually more than 20:1 in the standard setting and still allows easy detection of traffic anomalies. For best performance, flow aggregation is directly performed on hardware routers, which often support the export of flows in the IPFIX format, or its predecessors Netflow v9/v5. Current malware often causes a high number of failed connections. The limited view offered by flow-based data only allows the use of heuristic methods to determine the state of a connection, e.g. if it was successfully established, abnormally terminated or blocked by a firewall. We performed several experiments in which we analyzed results gained by analyzing ow data with a packet-based TCP defragmentation module and determined which properties describe different connection states best. For the experiments, we used our network monitoring toolkit Vermont that offers flow-based analysis of network streams. It is based on a modular structure that allows import and export of flow data in the standardized IPFIX protocol, as well as included packet payload using the PSAMP protocol. Main goal during the development of Vermont was to maintain full reconfigurability during execution of the program. This enables adaptive reaction to new demands in dynamic distributed environments.

Quick access

Authors' Version PDF (PDF on this web site)
BibTeX BibTeX


Tobias Limmer
Falko Dressler

BibTeX reference

    author = {Limmer, Tobias and Dressler, Falko},
    title = {{Flow Analysis in the Security Context}},
    address = {Mannheim, Germany},
    booktitle = {3rd GI SIG SIDAR Graduate Workshop on Reactive Security (SPRING)},
    month = {8},
    year = {2008},

Copyright notice

Links to final or draft versions of papers are presented here to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright. In most cases, these works may not be reposted or distributed for commercial purposes without the explicit permission of the copyright holder.

The following applies to all papers listed above that have IEEE copyrights: Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

The following applies to all papers listed above that are in submission to IEEE conference/workshop proceedings or journals: This work has been submitted to the IEEE for possible publication. Copyright may be transferred without notice, after which this version may no longer be accessible.

The following applies to all papers listed above that have ACM copyrights: ACM COPYRIGHT NOTICE. Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, to republish, to post on servers, or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from Publications Dept., ACM, Inc., fax +1 (212) 869-0481, or

The following applies to all SpringerLink papers listed above that have Springer Science+Business Media copyrights: The original publication is available at

This page was automatically generated using BibDB and bib2web.

Last modified: 2024-07-16