An Overview of IP Flow-Based Intrusion Detection

Anna Sperotto, Gregor Schaffrath, R. Sadre, Cristian Morariu, Aiko Pras, Burkhard Stiller

    Research output: Contribution to journalArticleAcademicpeer-review

    2114 Downloads (Pure)


    Intrusion detection is an important area of research. Traditionally, the approach taken to find attacks is to inspect the contents of every packet. However, packet inspection cannot easily be performed at high-speeds. Therefore, researchers and operators started investigating alternative approaches, such as flow-based intrusion detection. In that approach the flow of data through the network is analyzed, instead of the contents of each individual packet. The goal of this paper is to provide a survey of current research in the area of flow-based intrusion detection. The survey starts with a motivation why flow-based intrusion detection is needed. The concept of flows is explained, and relevant standards are identified. The paper provides a classification of attacks and defense techniques and shows how flow-based techniques can be used to detect scans, worms, Botnets and (DoS) attacks.
    Original languageUndefined
    Pages (from-to)343-356
    Number of pages14
    JournalIEEE communications surveys & tutorials
    Issue number3
    Publication statusPublished - 2010


    • EWI-18341
    • packet inspection
    • invasive software
    • computer network security
    • data flow analysis
    • worms
    • METIS-277422
    • IR-72752
    • Botnets
    • IP flow based intrusion detection
    • IP networks
    • Data flow
    • DoS attacks
    • EC Grant Agreement nr.: FP6/026854

    Cite this