Peer Based Tracking using Multi-Tuple Indexing for Network Traffic Analysis and Malware Detection

Matthew Hagan, BooJoong Kang, Kieran McLaughlin, Sakir Sezer

Research output: Chapter in Book/Report/Conference proceedingConference contribution

3 Citations (Scopus)
341 Downloads (Pure)


Traditional firewalls, Intrusion Detection Systems(IDS) and analytics tools extensively use the “flow” connection concept, consisting of 5-tuples of source and destination IP, ports and protocol type, for classification and management of network activities. By analysing flows, information can be obtained from TCP/IP fields and packet content, to give an
understanding of the content being transferred within a single connection. As networks have evolved to incorporate more connections and greater bandwidth, from “always on” IoT devices to application to operating system analytics, so too have malicious network threats, whose communication methods have increased in sophistication. As a result, the concept of the 5 tuple flow in isolation is unable to detect such threats and malicious behaviours. This is due to a greater length of time and data being needed in order to understand the behaviour of the network traffic, which cannot be accomplished by observing a single connection.
To alleviate this issue, this paper proposes the use of additional, 2 tuple and single tuple flow types to associate multiple 5 tuple communications, with generated metadata used to profile individual connnection behaviour. This proposed approach enables advanced linking of different connections and behaviours, developing a clearer picture as to what network activities have been taking place over a prolonged period of time. To demonstrate the capability of this approach, an expert system rule set has been developed, using the ZeuS source code as reference to simultaneously utilise 5, 2 and single tuple flows to detect the presence of a multi-peered ZeuS botnet, which would not be possible using a standard IDS system observing 5 tuple flow types only. Finally, as the solution is rule based, this implementation can operate in real time and does not require the post-processing and analytics that other other research based solutions require. This paper aims to demonstrate possible applications for next generation firewalls and methods to acquire additional information from network traffic.
Original languageEnglish
Title of host publication16th Annual Conference on Privacy, Security and Trust
Subtitle of host publicationAugust 28-30, 2018, Belfast, Northern Ireland, United Kingdom
Publisher IEEE
Number of pages5
Publication statusEarly online date - 01 Nov 2018
EventPrivacy, Security and Trust 2018 - Belfast, United Kingdom
Duration: 28 Aug 201830 Aug 2018


ConferencePrivacy, Security and Trust 2018
Abbreviated titlePST 2018
Country/TerritoryUnited Kingdom


  • 5-tuple flow tables, Zeus botnet, Network Behavioural detection, Next generation firewall


Dive into the research topics of 'Peer Based Tracking using Multi-Tuple Indexing for Network Traffic Analysis and Malware Detection'. Together they form a unique fingerprint.

Cite this