1.Introduction

The South African National Research and Education Network (SA NREN) provides the backbone infrastructure for most of South African research and education institutions. This network operates similar to the American, ESnet, or the European SURFnet and CESNET organisations. These NRENs provide services for these research institutions such as network interconnectivity, large data transfer capability, data warehousing and data processing services. In the SA NREN, the backbone is maintained and secured through the collaboration of two institutions: the Tertiary Education and Research Network of South Africa (TENET) which is a service organisation which maintains the services running within the NREN and the South African National Research Network Competency Area (SANReN CA) both these organisations form part of the National Integrated Cyber Infrastructure System (NICIS) organisation.

Within the SANReN CA a Cyber Security Incident Team (CSIRT) was established in 2016 to address the growing concern of cyber threats against the NREN. Within the CSIRT various tools and mechanisms are used to detect network anomalies and investigate cyber-attacks. The CSIRT aims to provide a proactive cyber incident capability to the SA NREN user base. Thus the CSIRT monitors the NREN for signs of anomalies or abuse before it is reported to the SANReN CSIRT team. As part of this capability the CSIRT seeks to detect: Port scans, Brute force attacks, Denial of Service and Botnet detection. However, this paper focuses the work done within the CSIRT, regarding botnet detection using network flow analytics.

The reason for using network flow analytics is primarily due to the reduced...