Cleaning Your House First: Shifting the Paradigm on How to Secure Networks

  • Jérôme François
  • Giovane C. M. Moura
  • Aiko Pras
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6734)


The standard paradigm when securing networks is to filter ingress traffic to the domain to be protected. Even though many tools and techniques have been developed and employed over the recent years for this purpose, we are still far from having secure networks. In this work, we propose a paradigm shift on the way we secure networks, by investigating whether it would not be efficient to filter egress traffic as well. The main benefit of this approach is the possibility to mitigate malicious activities before they reach the Internet. To evaluate our proposal, we have developed a prototype and conducted experiments using NetFlow data from the University of Twente.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Arbor networks. Worldwide infrastructure security report (2009 report). Technical report (2010)Google Scholar
  2. 2.
    John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying spamming botnets using Botlab. In: NSDI 2009: Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation, pp. 291–306. USENIX Association, Berkeley (2009)Google Scholar
  3. 3.
    de Vries, W.W., Moreira Moura, G.C., Pras, A.: Fighting spam on the sender side: A lightweight approach. In: Aagesen, F.A., Knapskog, S.J. (eds.) EUNICE 2010. LNCS, vol. 6164, pp. 188–197. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  4. 4.
    van Eeten, M., Bauerb, J.M., Asgharia, H., Tabatabaiea, S., Randc, D.: The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data. In: WEIS 2010: Ninth Workshop on the Economics of Information Security (2010)Google Scholar
  5. 5.
    Cisco Systems. Cisco IOS NetFlow (August 2010)Google Scholar
  6. 6.
    Sperotto, A., Schaffrath, G., Sadre, R., Morariu, C., Pras, A., Stiller, B.: An Overview of IP Flow-Based Intrusion Detection. IEEE Communications Surveys Tutorials 12(3), 343–356 (2010)CrossRefGoogle Scholar
  7. 7.
    Xie, Y., Yu, F., Achan, K., Panigrahy, R., Hulten, G., Osipkov, I.: Spamming botnets: signatures and characteristics. SIGCOMM Comput. Commun. Rev. 38(4), 171–182 (2008)CrossRefGoogle Scholar
  8. 8.
    Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: USENIX Security Symposium (SS), San Jose, CA, pp. 139–154 (July 2008)Google Scholar
  9. 9.
    Sperotto, A., Vliek, G., Sadre, R., Pras, A.: Detecting spam at the network level. In: Oliver, M., Sallent, S. (eds.) EUNICE 2009. LNCS, vol. 5733, pp. 208–216. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  10. 10.
    Day, W.H., Edelsbrunner, H.: Efficient algorithms for agglomerative hierarchical clustering methods. Journal of Classification 1(1), 7–24 (1984)CrossRefzbMATHGoogle Scholar
  11. 11.
    Schikuta, E.: Grid-clustering: a fast hierarchical clustering method for very large data sets. In: Proceedings 15th Int. Conf. on Pattern Recognition, pp. 101–105 (1996)Google Scholar
  12. 12.
    François, J., Abdelnur, H., State, R., Festor, O.: Automated Behavioral Fingerprinting. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 182–201. Springer, Heidelberg (2009)Google Scholar
  13. 13.
    Sperotto, A., Sadre, R., van Vliet, F., Pras, A.: A Labeled Data Set for Flow-Based Intrusion Detection. In: Nunzi, G., Scoglio, C., Li, X. (eds.) IPOM 2009. LNCS, vol. 5843, pp. 39–50. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  14. 14.
    Porras, P., Sadi, H., Yegneswaran, V.: A Multi-perspective Analysis of the Storm (Peacomm) WormGoogle Scholar
  15. 15.
    Wang, P., Wu, L., Cunningham, R., Zou, C.C.: Honeypot detection in advanced botnet attacks. Int. J. Inf. Comput. Secur. 4(1), 30–51 (2010)Google Scholar
  16. 16.
    Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: ACM SIGCOMM conference on Internet measurement (IMC), pp. 41–52 (2006)Google Scholar
  17. 17.
    Karasaridis, A., Rexroad, B., Hoeflin, D.: Wide-scale botnet detection and characterization. In: First Workshop on Hot Topics in Understanding Botnets (HotBots). USENIX (2007)Google Scholar
  18. 18.
    Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In: LEET 2008: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, pp. 1–9. USENIX Association, Berkeley (2008)Google Scholar
  19. 19.
    François, J., Wang, S., State, R., Engel, T.: BotTrack: Tracking Botnets using NetFlow and PageRank. In: Domingo-Pascual, J., Manzoni, P., Palazzo, S., Pont, A., Scoglio, C. (eds.) NETWORKING 2011, Part I. LNCS, vol. 6640, pp. 1–14. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  20. 20.
    Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: detecting malware infection through ids-driven dialog correlation. In: USENIX Security Symposium (SS) (August 2007)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Jérôme François
    • 1
  • Giovane C. M. Moura
    • 2
  • Aiko Pras
    • 2
  1. 1.Interdisciplinary Centre for Security, Reliability and TrustUniversity of LuxembourgLuxembourg
  2. 2.Centre for Telematics and Information Technology (CTIT), Faculty of Electrical Engineering, Mathematics and Computer Science (EEMCS)Design and Analysis of Communications Systems (DACS)EnschedeThe Netherlands

Personalised recommendations