MalFIX: Using IPFIX for Scaling Threat Detection to High Data Rates

DSpace Repository

MalFIX: Using IPFIX for Scaling Threat Detection to High Data Rates

Paradzik, Gabriel; Steinert, Benjamin; Steegmüller, Janik; Menth, Michael
Dateien:
Thumbnail
175. KB
PDF
URI: http://hdl.handle.net/10900/163779
http://nbn-resolving.org/urn:nbn:de:bsz:21-dspace-1637796
http://dx.doi.org/10.15496/publikation-105109
Dokumentart: Article
Date: 2025-04-03
Language: English
Faculty: 7 Mathematisch-Naturwissenschaftliche Fakultät
Department: Informatik
DDC Classifikation: 004 - Data processing and computer science
Show full item record

Abstract:

Threat intelligence feeds provide up-to-date information about threat indicators, i.e., IP addresses, hostnames, etc. This information can be used to identify potentially malicious actors by scanning network traffic. In this paper, we present a high-performance architecture for threat detection that leverages openly available threat intelligence feeds. For that purpose, the open-source tool Maltrail has been modified to make it horizontally scalable and to handle IPFIX flow data. Maltrail was adapted to process IPFIX as input and generate IPFIXcompatible output that includes information about detected threats. These threats are then ingested into Apache Kafka, enabling further analysis and integration with other tools. Benchmark results highlight the scalability of this approach, with a peak processing speed of 300,000 flows per second on 32 CPU cores.

This item appears in the following Collection(s)