Abstract
The distributed detection of botnets may induce heavy computation and communication costs to network devices. Each device in related scheme only has a regional view of Internet, so it is hard to detect botnet comprehensively. In this paper, we propose a lightweight real-time botnet detection framework called Bot-Guard, which uses the global landscape and flexible configurability of software defined network (SDN) to identify botnets promptly. SDN, as a new network framework, can make centralized control in botnet detection, but there are still some challenges in such detections. We give a convex lens imaging graph (CLI-graph) to depict the topology characteristics of botnet, which allows SDN controller to locate attacks separately and mitigate the burden of network devices. The theoretical and experimental results prove that our scheme is capable of timely botnet detecting in SDNs with the accuracy higher than 90% and the delay less than 56 ms.
Similar content being viewed by others
References
McCarty B. Botnets: Big and bigger [J]. IEEE Security & Privacy Magazine, 2003, 1:87–90.
Langner R. Stuxnet: Dissecting a cyberwarfare weapon [J]. IEEE Security & Privacy Magazine, 2011, 9: 49–51.
Ormerod T, Wang L, Debbabi M, et al. Defaming botnet toolkits: A bottom-up approach to mitigating the threat [C] // The 4th International Conference on Emerging Security Information, Systems and Technologies. Los Angeles: IEEE Press, 2010:195–200.
Christiaan B, Carlos C, Cedric C, et al. Mcafee labs threat report [EB/OL].[2016-03-21]. http://www.mcafee.com/us/ resources/reports/rp-threats-predictions-2016.pdf.
Khattak S, Ahmed Z, Syed A A, et al. BotFlex: A community-driven tool for botnet detection [J]. Network and Computer Applications, 2015, 58: 144–154.
Gu G F, Porras P, Yegneswaran V, et al. BotHunter: Detecting malware infection through IDS-driven dialog correlation [C] // The 16th USENIX Security Symposium on USENIX Security Symposium. Berkeley: USENIX Association, 2007:1–16.
Haq O, Abaid Z, Bhatti N, et al. SDN-inspired, real-time botnet detection and flow-blocking at ISP and enterprise-level [C] // IEEE International Conference on Communications. New York: IEEE Press, 2015: 5278–5283,.
Wijesinghe U, Tupakula U, Varadharajan V. Botnet detection using software defined networking [C] // International Conference on Telecommunications. New York: IEEE Press, 2015: 219–224.
García S, Zunino A. Campo M. Survey on network-based botnet detection methods [J]. Security & Communication Networks, 2014, 7(5): 878–903.
Mahmoud M, Nir M, Matrawy A, et al. A survey on botnet architectures, detection and defenses [J]. International Journal of Network Security, 2015, 17:1–18.
Bailey M, Cooke E, Jahanian F, et al. A survey of botnet technology and defenses [C] // Cyber Security Applications & Technology Conference for Homeland Security. Los Alamitos: IEEE Press, 2009: 299–304.
Tegeler F, Fu X, Vigna G, et al. BotFinder: Finding bots in network traffic without deep packet inspection [C] // Proc 8th International Conference on Emerging Networking Experiments and Technologies. New York: ACM Press, 2012: 349–360.
Gu G F, Yegneswaran V, Porras P, et al. Active botnet probing to identify obscure command and control channels [C] // Proc the 2009 Annual Computer Security Applications Conference. Los Alamitos: IEEE Press, 2009: 241–253.
Gu G F, Zhang J, Lee W. BotSniffer: Detecting botnet command and control channels in network traffic [C]// Network & Distributed System Security Symposium. San Diego: NDSS, 2008:1–19.
Gu G F, Perdisci R, Zhang J, et al. BotMiner: Clustering analysis of network traffic for protocol-and structure-independent botnet detection [C] // Proc the 17th Conference on Security Symposium. San Diego: NDSS, 2008: 139–154.
Franois J, Wang S, State R, et al. BotTrack: Tracking botnets using NetFlow and PageRank [C] // International Ifip Tc 6th Networking Conference. Berlin: Springer-Verlag, 2011: 1–14.
Casado M, Freedman M J, Pettit J, et al. Ethane: Taking control of the enterprise [C] //Proc the 2007 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications. New York: ACM Press, 2007: 1–12.
Scott-Hayward S, Natarajan S, Sezer S. A survey of security in software defined networks [C] // IEEE Communications Surveys & Tutorials. Los Alamitos: IEEE Press, 2016: 623–654.
Scott-Hayward S, O’Callaghan G, Sezer S. SDN security: A survey [C] // Future Networks & Services. Los Alamitos: IEEE Press, 2013: 1–7.
Xia W, Wen Y, Foh C H, et al. A survey on software-defined networking [C] // IEEE Communications Surveys & Tutorials. Los Alamitos: IEEE Press, 2015: 27–51.
Dhawan M, Poddar R, Mahajan K, et al. SPHINX: Detecting security attacks in software-defined networks [C] // Proc 22nd Annual Network and Distributed System Security Symposium. San Diego: NDSS Press, 2015: 8–23.
Murphy M, Shabib A A. POX Wiki [EB/OL].[2016-12-14]. https://openflow.stanford.edu/display/ONL/POX+Wiki.
Diestel R. Graph Theory [M]. Heidelberg: Springer-Verlag, 2016.
Dao N N. A feasible method to combat against DDoS attack in SDN network [C] // 2015 International Conference on Information Networking (ICOIN). Los Alamitos: IEEE Press, 2015: 309–311.
Wang R, Jia Z, Ju L. An entropy-based distributed DDoS detection mechanism in software-defined networking [C] // 2015 IEEE Trustcom/BigDataSE/ISPA, Washington D C: IEEE Press, 2015: 310–317.
Mininet Team. Mininet: An instant virtual network on your laptop (or other PC) [EB/OL].[2016-12-14]. http: //mininet.org/.
Ben P, Bob L, Brandon H, et al. OpenFlow switch specication [EB/OL].[2016-10-14]. http://archive.openflow.org/ documents/openflow-spec-v1.1.0.pdf.
Author information
Authors and Affiliations
Corresponding author
Additional information
Foundation item: Supported by the National Natural Science Foundation of China (61272451, 61572380)
Biography: CHEN Jing, male, Ph.D., Professor, research direction: network security, cloud security
Rights and permissions
About this article
Cite this article
Chen, J., Cheng, X., Du, R. et al. BotGuard: Lightweight real-time botnet detection in software defined networks. Wuhan Univ. J. Nat. Sci. 22, 103–113 (2017). https://doi.org/10.1007/s11859-017-1223-8
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11859-017-1223-8