Embed Size (px)
Citation preview
Technical Report
02. December 2013
FLEX – Flow-based event exchange format
An practical example
Author
Jessica Steinberger
Table of Contents
Acronyms 3
1 Introduction 4
2 NetFlow 52.1 Foundations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.2 NetFlow v5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52.3 NetFlow v9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3 Introduction of FLEX 83.1 Components of Flex . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83.2 Message exchange process of FLEX . . . . . . . . . . . . . . . . . . . . . 93.3 Further processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
4 Practical Example 114.1 Use case of FLEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114.2 Generation of a FLEX event message . . . . . . . . . . . . . . . . . . . . 11
List of Figures 17
List of Tables 17
Listings 17
Table of Contents 2
Acronyms
FLEX Flow-based event exchange format
IPFIX Internet Protocol Flow Information Export
SMTP Simple Mail Transfer ProtocolSNMP Simple Network Management Protokoll
Acronyms 3
1. Introduction
The anomaly detection makes use of different kinds of data sources. One data sourceprovides flow-based information. Flow-based data contains statistical network informa-tion about a unidirectional data stream between two network devices in a certain timeframe (e.g. source/destination IP address, source/destination port etc.).
There are different flow technologies available: Cisco (NetFlow), Juniper (Jflow);3Com/HP, Dell and Netgear (sFlow); Huawei (NetStream); Alcatel-Lucent (Cflow); Eric-sson (Rflow) and Internet Protocol Flow Information Export (IPFIX). The common onesare NetFlow [2], its successor IPFIX [1], and sFlow [5].
Steinberger et al. [6] performed a survey and determined that the majority of 61%actually use Simple Network Management Protokoll (SNMP) data for attack detection.Also shown in Figure 1a, SNMP data is closely followed by NetFlow data and otherserver logs, namely in each case 58%. Additional flow formats like sFlow and IPFIX areused by 29% and 32% of the attendees.
Further Steinberger et al. [6] reported that 33 of the 47 participants and hence 70%have the technical ability to collect NetFlow (version 5 or version 9). The availability tocollect sFlow is given by 24 of 43 responding participants, i.e. 56%. However, only 4of 36 replying attendees (corresponding to 11%) are able to collect IPFIX data with thecurrent company’s infrastructure.
Therefore the practical example shown in this technical report is based on flow dataprovided by Cisco NetFlow version 5.
SNMP
sFlow
NetFlow
IPFIX
Rawpa
cket
s
Darkn
et
Serve
r logs
Other
s
0
20
40
60
80
100
Num
ber
ofre
spon
ses
in%
Yes No
Total answers = 31
(a) Currently used data
NetFlow
sFlow
IPFIX
−5
0
5
10
15
20
25
30
35
40
Qua
ntity
ofpa
rtic
ipan
ts
Yes No
Total answers of NetFlow = 47, sFlow = 43 and IPFIX= 36
(b) Technical ability to collect data
Fig. 1: Data used for attack detection
1 Introduction 4
2. NetFlow
This section describes the theoretical basis of NetFlow. Section 2.2 introduces CiscoNetFlow Version 5. Cisco NetFlow Version 9 is explained in Section 2.3. Additionally,the main differences between the aforementioned Versions are presented.
2.1 Foundations
NetFlow is a network protocol developed by Cisco Systems to provide network andsecurity monitoring, network planning, traffic analysis, and IP accounting. NetFlow isavailable in different versions, where Version 5 and 9 are the most common ones. In thefollowing subsections this technical report will give an overview of these two differentversions.
2.2 NetFlow v5
Cisco NetFlow Version 5 consists of a fixed data structure containing the following 20flow field types within a flow record:
1 srcaddr
2 dstaddr
3 nexthop
4 input
5 output
6 dPkts
7 dOctets
8 first
9 last
10 srcport
11 dstport
12 pad1
13 tcp flags
14 prot
15 tos
16 src as
17 dst as
18 src mask
19 dst mask
20 pad2
This data structure contains always the same flow field types and thus is easy to de-cipher for collection and reporting devices. Cisco NetFlow v5 flow field records cannotbe extended to provide additional data.
Listing 1 provides an example of a flow record of Cisco NetFlow v5 extracted withnfdump.
Listing 1: Example Flow Record NetFlow v5Flags = 0x00 Unsampleds ize = 52f i r s t = 1387648761 [2013−12−21 18:59 :21 ]l a s t = 1387648762 [2013−12−21 18:59 :22 ]m s e c f i r s t = 430msec last = 570src addr = 10 .0 .2 .15dst addr = 65.55.162.200src po r t = 1036dst po r t = 25
2 NetFlow 5
fwd s ta tus = 0tcp f l a g s = 0x17 .A .RSFpro to = 6tos = 0dPkts = 4dOctets = 186inpu t = 0output = 0src as = 0ds t as = 0src mask = 0 /0dst mask = 0 /0i p next hop = 0
2.3 NetFlow v9
Cisco NetFlow v9 is a newer development and provided a basis for IPFIX. The maindifference between NetFlow v5 and NetFlow v9 is the fixed data structure used byCisco NetFlow v5. NetFlow v9 is not as deterministic as NetFlow v5. NetFlow v9uses a template to describe the format of a flow record. Figure 2 visualizes the maindifference between both NetFlow versions.
Fig. 2: Difference between NetFlow v5 and v9 [4]
A further advantage of NetFlow v9 is, that it is extensible and contains much moreinformation about the flow than NetFlow v5. Cisco NetFlow 9 contains the following flowfield types within a flow record:
1 in bytes
2 in pkts
3 flows
4 protocol
5 src tos
6 tcp flags
7 l4 src port
8 ipv4 src addr
9 src mask
10 input snmp
11 l4 dst port
12 ipv4 dst addr
13 dst mask
14 output snmp
15 ipv4 next hop
2 NetFlow 6
16 src as
17 dst as
18 bgp ipv4 next hop
19 mul dst pkts
20 mul dst bytes
21 last switched
22 first switched
23 out bytes
24 out pkts
25 min pkt lngth
26 max pkt lngth
27 ipv6 src addr
28 ipv6 dst addr
29 ipv6 src mask
30 ipv6 dst mask
31 ipv6 flow label
32 icmp type
33 mul igmp type
34 sampling interval
35 sampling algorithm
36 flow active timeout
37 flow inactive timeout
38 engine type
39 engine id
40 total bytes exp
41 total pkts exp
42 total flows exp
43 *vendor proprietary*
44 ipv4 src prefix
45 ipv4 dst prefix
46 mpls top label type
47 mpls top label ip addr
48 flow sampler id
49 flow sampler mode
50 flow sampler random interval
51 *vendor proprietary*
52 min ttl
53 max ttl
54 ipv4 ident
55 dst tos
56 in src mac
57 out dst mac
58 src vlan
59 dst vlan
60 ip protocol version
61 direction
62 ipv6 next hop
63 bpg ipv6 next hop
64 ipv6 option headers
65 *vendor proprietary*
66 *vendor proprietary*
67 *vendor proprietary*
68 *vendor proprietary*
69 *vendor proprietary*
70 mpls label 1
71 mpls label 2
72 mpls label 3
73 mpls label 4
74 mpls label 5
75 mpls label 6
76 mpls label 7
77 mpls label 8
78 mpls label 9
79 mpls label 10
80 in dst mac
81 out src mac
82 if name
83 if desc
84 sampler name
85 in permanent bytes
86 in permanent pkts
87 * vendor proprietary*
88 fragment offset
89 forwarding status
90 mpls pal rd
91 mpls prefix len
92 src traffic index
93 dst traffic index
94 application description
95 application tag
96 application name
97 postipdiffservcodepoint
98 replication factor
99 deprecated
100 layer2packetsectionoffset
101 layer2packetsectionsize
102 layer2packetsectiondata
103 Reserved by Cisco
104 Reserved by Cisco
105 Reserved by Cisco
106 Reserved by Cisco
107 Reserved by Cisco
108 Reserved by Cisco
109 Reserved by Cisco
110 Reserved by Cisco
111 Reserved by Cisco
112 Reserved by Cisco
113 Reserved by Cisco
114 Reserved by Cisco
115 Reserved by Cisco
116 Reserved by Cisco
117 Reserved by Cisco
118 Reserved by Cisco
119 Reserved by Cisco
120 Reserved by Cisco
121 Reserved by Cisco
122 Reserved by Cisco
123 Reserved by Cisco
124 Reserved by Cisco
125 Reserved by Cisco
2 NetFlow 7
3. Introduction of FLEX
This section introduces the flow-based event exchange format FLEX. It explains itscomponents and its message exchange process. Finally, this section closes with anexplanation of further processing capabilities of FLEX.
3.1 Components of Flex
Flow-based event exchange format (FLEX) is based on the X-XARF specification draftv0.2 and uses signed and encrypted event records. Figure 3 visualizes the componentsof FLEX message.
HeaderX-XARF: SecureSubject: C&C Traffic from <src> to <dst>Content-Type: application/pkcs7-mime; name=”smime.p7m”
ASN.1 data (type:pkcs7-envelopedData)
AES key encrypted with recipient certificates(object:rsaEncryption)
encrypted data (object: pkcs7-data)
Content-Type: multipart/signed;
protocol=”application/pkcs7-signature”;micalg=”sha256”
FLEX container
S/MIME signature
Fig. 3: Components of a FLEX message
The FLEX container is composed of data in matrix form. The first row of the matrixstores setting information (s0, . . . , s15) how to interpret the transmitted data, e.g. FLEXID, FLEX event type, sort and the version of the flow data and quantity of field usedby detection engine. The flow field types of a flow format are stored in the followingrows (f0, . . . , fn). The quantity of the flow field types are divided by 8 and result intothe following rows within the matrix. Next, information of a detection engine is stored(d0, . . . , d15), e.g. severity, impact, priority, NAT, reliability, correlated data flow setsand an observation id. The last row is composed of unique identification numbers of
3 Introduction of FLEX 8
the correlated flow sets (c0, . . . , c15). The matrix A visualizes the structure of a Flexcontainer using the flow format Cisco NetFlow v9.
A =
s0 s1 . . . s15f0 f1 . . . f15...
.... . .
...f112 f113 . . . f127d0 d1 . . . d15c0 c1 . . . c15
Figure 4 shows the FLEX codes used to set up the settings and detection enginevector.
FLEX type
0 - ALERT1 - REQUEST
Flow data
0 - NetFlow1 - IPFIX2 - sFlow
Flow version
2459
Severity, impact, priority
0 - high1 - medium2 - low
NAT
0 - yes1 - no
Fig. 4: Encoding of a FLEX message
If FLEX is used to exchange Cisco NetFlow data, FLEX uses flow field types of CiscoNetFlow V9 to exchange both Cisco NetFlow V5 and V9 data, because Cisco NetFlowV9 is not backward-compatible with version 5 or version 8. As a consequence, matrixA consists of a large number of zero-valued elements, if Cisco NetFlow V5 is used.These elements use memory space unnecessarily and require extra computing time. Tosignificantly reduce the amount of memory required for data storage and transmission,sparse matrices are used. Sparse matrices store only the nonzero elements of thematrix, together with their indices.
In compressed row storage (CSR) format matrix A is represented as the vectorl1, . . . , ln, where the vector li represents the ith row A. Each element li is the or-dered pair of the form j, aij , where j indicates the column which contains a non-zeroelement aij . Each zero row is represented by an empty list. The usage of a sparsematrix reduces the amount of data to store and transmit by 75% for Cisco NetFlow V5.
3.2 Message exchange process of FLEX
Figure 5 depicts the exchange process of a FLEX message.
3 Introduction of FLEX 9
Fig. 5: Message exchange process of FLEX
3 Introduction of FLEX 10
3.3 Further processing
The message within the FLEX container is decoded using the settings information.Every participating partner knows how to decode the message and further process themessage as needed within its own system. Therefore FLEX is easily to adapt to specialneeds without changing the existing IT infrastructure.
4. Practical Example
This section presents an example of an application context of FLEX based on CiscoNetFlow v5. Section 4.1 describes the location of FLEX within a detection and mitigationprocess. The generation of a FLEX event exchange message is explained in section4.2.
4.1 Use case of FLEX
The process of anomaly detection and mitigation can by subdivided into two main parts:the detection part and the mitigation part. The first part preprocesses the NetFlowtraces including feature extraction, applies anomaly identification and determining Net-Flow traces, which causes this abnormal behavior within the network traffic. The flow-event based exchange format FLEX is located in the second part of anomaly mitigationand starts after the detection part identified a suspicious NetFlow record.
4.2 Generation of a FLEX event message
Assuming that the NetFlow Record shown in Listing 1 was identified to be suspiciousby the detection engine and was part of a command and control communication usedfrom the Cutwail botnet [3].
In the first step the setting information (s0, . . . , s15) is set within the first row of matrixA. The entries of matrix A are shown in table 2.
Table 2: FLEX matrix A
FLEX matrix A entries
s 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
f
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 3132 33 34 35 36 37 38 39 40 41 42 43 44 45 46 4748 49 50 51 52 53 54 55 56 57 58 59 60 61 62 6364 65 66 67 68 69 70 71 72 73 74 75 76 77 78 7980 81 82 83 84 85 86 87 88 89 90 91 92 93 94 9596 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143
c 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159
d 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175
4 Practical Example 11
The first entry of the settings row provides information about the FLEX type of a FLEXmessage. As this is the first time this suspicious traffic was identified the FLEX type iscalled ALERT and encoded as 0. The other type of FLEX message is called REQUEST
and encoded as 1. The next entry of the settings row contains the quantity of detectionengine information fields followed by the flow field types. In this example the FLEXmessage consists of 7 additional information field of the detection engine. After thequantity of detection engine fields the information of the provided flow data is stored.This example is based on NetFlow and thus this field is encoded as 0. It is also possibleto encode other flow-based information e.g IPFIX (1) and sFLow (2). The informationabout the flow-type is followed by its version. This example is based on NetFlow version5. In the last entry of the settings information the flow ID is stored. Listing 2 shows thesettings information of the suspicious flow record encoded with the corresponding FLEXcode (see Figure 4).
Listing 2: Setting information of a FLEX message[ 0 ] [ 0 ] = 0 , [ 0 ] [ 1 ] = 7 , [ 0 ] [ 2 ] = 0 , [ 0 ] [ 3 ] = 5 , [ 0 ] [ 4 ]=125
In the next step the the flow field types (f0, . . . , fn) are stored. Therefore a mappingbetween NetFlow versions 5 and version 9 is needed. The mapping between these twoversions is visualized in Figure 6. Table 3 shows the order of the flow field types listedwithin subsection 2.3.
Table 3: FLEX template NetFlow v9NetFlow Version 9 Field Type Definition
f
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 1617 18 19 20 21 22 23 24 25 26 27 28 29 30 31 3233 34 35 36 37 38 39 40 41 42 43 44 45 46 47 4849 50 51 52 53 54 55 56 57 58 59 60 61 62 63 6465 66 67 68 69 70 71 72 73 74 75 76 77 78 79 8081 82 83 84 85 86 87 88 89 90 91 92 93 94 95 9697 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128
The information of the detection engine is stored in (d0, . . . , d15) and consists of sever-ity, impact, priority, NAT, reliability, correlated data flow sets and an observation id.
Listing 3: Detection engine information of a FLEX message[ 9 ] [ 0 ] = 0 , [ 9 ] [ 1 ] = 0 , [ 9 ] [ 2 ] = 0 , [ 9 ] [ 3 ] = 0 , [ 9 ] [ 4 ] = 0 , [ 9 ] [ 5 ] = 0 , [ 9 ] [ 6 ]=142
In this example it is the first time that this suspicious flow record was identified andthus no correlated flows exist.
In this example a Cisco NetFlow v9 template is used with Cisco NetFlow 5 data.Therefore (f0, . . . , fn) consists of a large number of zero-valued elements. Figure 7visualizes a sparsity pattern of a matrix A, which contains Cisco NetFlow V5 within aCisco NetFlow V9 template. Figure 7 shows the non-zero values as gray quadrats. Thewhite space within Figure 7 represent the zero-value elements.
To significantly reduce the amount of memory required for data storage and trans-mission, sparse matrices are used within (f0, . . . , fn). Sparse matrices store only the
4 Practical Example 12
nonzero elements of the matrix, together with their indices. The sparse matrix of theflow field types (f0, . . . , fn) is shown in Listing 4.
Listing 4: Sparse matrix of the flow field types (f0, . . . , fn) of a FLEX message[ 1 ] [ 0 ] = 1 8 6 , [ 1 ] [ 1 ] = 4 , [ 1 ] [ 2 ] = 5 2 , [ 1 ] [ 3 ] = 6 , [ 1 ] [ 5 ] = 0 x17 .A .RSF,[1 ] [ 6 ]=1036 , [ 1 ] [ 7 ] = 1 0 . 0 . 2 . 1 5 , [ 1 ] [ 8 ] = 0 /0 , [ 1 ] [ 1 0 ] = 2 5 ,[1 ] [11 ]=65 .55 .162 .200 , [ 1 ] [ 1 2 ] = 0 /0 ,[2] [4]=1387648762 [2013−12−21 18 :59 :22 ] ,[2] [5]=1387648761 [2013−12−21 18:59 :21 ]
Finally the information out of the settings vector, the flow field information and theinformation about the detection engine are transformed into a String message as shownin Listing 5.
Listing 5: String of sparse matrix of a FLEX message0 ,0 ,0 ; 0 ,1 ,7 ; 0 ,2 ,0 ; 0 ,3 ,5 ; 0 ,4 ,125 ;1 ,0 ,186 ;1 ,1 ,4 ;1 ,2 ,52 ;1 ,3 ,6 ;1 ,5 ,0 x17 .A .RSF;1 ,6 ,1036 ;1 ,7 ,10 .0 .2 .15 ;1 ,8 ,0 /0 ;1 ,10 ,25 ;1 ,11 ,65.55.162.200;1 ,12 ,0/0;2 ,4 ,1387648762 [2013−12−21 1 8 : 5 9 : 2 2 ] ;2 ,5 ,1387648761 [2013−12−21 1 8 : 5 9 : 2 1 ] ; 9 ,0 ,0 ; 9 ,1 ,0 ; 9 ,2 ,0 ; 9 ,3 ,0 ;9 ,4 ,=0; 9 ,5 ,0 ; 9 ,6 ,142;
This string message is handed over to the encryption and signature process. List-ing 6 shows the final FLEX message of the suspicious NetFlow record, which will betransmitted over Simple Mail Transfer Protocol (SMTP).
Listing 6: Suspicious Flow Record NetFlow v5 within FLEX messageTo : mailToMessage−ID : <1080606248.3.1377689789166. JavaMail . Jimena@jesste>Subject : abuse r e p o r t about <source> − <dst>MIME−Version : 1.0Content−Type : a p p l i c a t i o n / pkcs7−mime ; name="smime.p7m" ; smime−type=
enveloped−dataContent−Transfer−Encoding : base64X−XARF: SECUREMIAGCSqGSIb3DQEHA6CAMIACAQAxggGNMIIBiQIBADBxMGkxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIEwZIZXNzZW4xEjAQBgNVBAcTCURhcm1zdGFkdDEMMAoGA1UEChMDSERBMRYwFAYDVQQLEw1TaWNoZXJlIERhdGVuMQ8wDQYDVQQDEwZTZXJ2ZXICBFLqiKgwDQYJKoZIhvcNAQEBBQAEggEAMA/ OsrBmAGLsFXuJVFzFX7HlvMq5lhG89Bg / kxsXIIhSk+CTEuOzjkim1TNKGtYIwFKOarV4YPWxn9sbTAkwkmkKfjCJSCREaa5qanz18WnDsXvFUvu4QVqEvJNorvuUaY18UDcIrGosrbD4rv9gLKIgq4VCdmef6nPHJmL1ENWLBKe7yrI /3ML3EO3BSq41fmHX2evOEug9UIqKcXGEJeY2kG2d4lGqmaAWvjxMZEVnrl810eVGzsKsVU38 /5 Wfx6rU0 / JM7tWDZ8CsfmlZ4SFZ / QG4c2ln9JBUT34aLZAPBNanp2q / o6tj9nDTP4+Z / dHFIuqVYMxJtsjkCeesojCABgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCEFILcS+qcoSDwVwp+ALAqoIAEggPomXHl43NmdxUqlEdpDio / f0BtZwI f5jQzit6vgymYt2mOtl3K9nNENXLkQC7 / KszJlBzZBNrtaccz8A242cJr2XeBROj2vMkJGn6BZOaA6xjFSDrGk894 / NbsJS [ . . . ]
4 Practical Example 13
Fig. 6: Mapping NetFlow V5 to V9
4 Practical Example 14
0 2 4 6 8 10 12
0
5
10
Fig. 7: Sparsity pattern of matrix A
4 Practical Example 15
References
[1] E. Boschi, L. Mark, J. Quittek, M. Stiemerling, and P. Aitken. IP Flow InformationExport (IPFIX) Implementation Guidelines. RFC 5153 (Informational). http://www.ietf.org/rfc/rfc5153.txt, April 2008.
[2] Cisco Systems, Inc. Netflow services solutions guide. http://www.cisco.com/en/US/docs/ios/solutions_docs/netflow/nfwhite.html, January 2007.
[3] A. Decker, D. Sancho, L Kharouni, M. Goncharov, and R. McArdle. Pushdo / cutwailbotnet. http://www.trendmicro.com/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf, May 2009.
[4] Lancope, Inc. Netflow v5 vs. netflow v9. http://www.lancope.com/blog/netflow-v5-vs-netflow-v9/, March 2009.
[5] Peter Phaal and Marc Lavine. sFlow Version 5. http://www.sflow.org/sflow_
version_5.txt, July 2004.
[6] Jessica Steinberger, Lisa Schehlmann, Sebastian Abt, and Harald Baier. Anomalydetection and mitigation at internet scale: A survey. In Guillaume Doyen, MartinWaldburger, Pavel Celeda, Anna Sperotto, and Burkhard Stiller, editors, EmergingManagement Mechanisms for the Future Internet, volume 7943 of Lecture Notesin Computer Science, pages 49–60. Springer Berlin Heidelberg, 2013. ISBN 978-3-642-38997-9. doi: 10.1007/978-3-642-38998-6 7. URL http://dx.doi.org/10.
1007/978-3-642-38998-6_7.
References 16
List of Figures
1 Data used for attack detection . . . . . . . . . . . . . . . . . . . . . . . . . 42 Difference between NetFlow v5 and v9 [4] . . . . . . . . . . . . . . . . . . 63 Components of a FLEX message . . . . . . . . . . . . . . . . . . . . . . . 84 Encoding of a FLEX message . . . . . . . . . . . . . . . . . . . . . . . . . 95 Message exchange process of FLEX . . . . . . . . . . . . . . . . . . . . . 106 Mapping NetFlow V5 to V9 . . . . . . . . . . . . . . . . . . . . . . . . . . 147 Sparsity pattern of matrix A . . . . . . . . . . . . . . . . . . . . . . . . . . 15
List of Tables
2 FLEX matrix A . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 FLEX template NetFlow v9 . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Listings
1 Example Flow Record NetFlow v5 . . . . . . . . . . . . . . . . . . . . . . 52 Setting information of a FLEX message . . . . . . . . . . . . . . . . . . . 123 Detection engine information of a FLEX message . . . . . . . . . . . . . . 124 Sparse matrix of the flow field types (f0, . . . , fn) of a FLEX message . . . 135 String of sparse matrix of a FLEX message . . . . . . . . . . . . . . . . . 136 Suspicious Flow Record NetFlow v5 within FLEX message . . . . . . . . 13
Listings 17
