Is anyone aware of any open source codes for Netflow Anomaly detection for DDOS and tunneling? I am a newbie in this area . I did find very few on github but anyone who has more experience with it, do advise.
Just want to try a few to understand how they work so language of python or r or c++ language are fine
There's some great resources around for ingesting the various flow formats. The harder part is in doing anomaly detection. You could consider 'R', see for instance: http://www.ojscurity.com/2014/10/r-netflow-analytics-i.html
When trying to detect tunneling you will need to establish one or more metrics that you can use to "profile" the traffic. Typically this would be on a per-endpoint, per-protocol basis. For instance, HTTPS traffic to Amazon looks different than watching NetFlix content. The metrics you establish should enable you detect a chance in the typical pattern for a given type of traffic.
So it might be hard to detect HTTP traffic tunneled over HTTPS by using just flow data. However, tunneling HTTP traffic over DNS should be fairly easy to detect due to the different volumetric and session timing characteristics of each protocol.
DDoS is more straightforward, and can be detected by a volumetric "baseline", since typical attacks are extremely loud in nature. Although, the more specific you get in terms of protocol, and type of packet, the faster and more accurate your DDoS detection will be.
Finally, the more you "know" about the network you are monitoring, the better you are able to pick up anomalies. There are some obvious first-principles here, as DDoS attacks are loud, and most protocols have fairly well-known volume/timing characteristics, but learning what is typical for your network is the best way to reduce false positives.
