BotSifter: A SDN-based Online Bot Detection Framework in Data Centers

Published: June 10, 2019

Author(s)

Yang Guo, An Wang, Zili Zha, Douglas C. Montgomery, Songqing Chen

Abstract

Botnets continue to be one of the most severe security threats plaguing the Internet. Recent years have witnessed the emergence of cloud-hosted botnets along with the increasing popularity of cloud platforms, which attracted not only various applications/services, but also botnets. However, even the latest botnet detection mechanisms (e.g., machine learning based) fail to meet the requirement of accurate and expeditious detection in data centers, because they often demand intensive resources to support traffic monitoring and collection, which is hardly practical considering the traffic volume in data centers. Furthermore, they provide little understanding on different phases of the bot activities, which is essential for identifying the malicious intent of bots in their early stages. In this paper, we propose BotSifter,a SDN based scalable, accurate and runtime bot detection framework for data centers. To achieve detection scalability, BotSifter utilizes centralized earning with distributed detection by distributing detection tasks across the network edges in SDN. Furthermore, it employs a variety of novel mechanisms for parallel detection of C&C channels and botnet activities, which greatly enhance the detection robustness. Evaluations demonstrate that BotSifter can achieve highly accurate detection for a large variety of botnet variants with diverse C&C protocols.
Proceedings Title: IEEE CNS 2019 - 2019 IEEE Conference on Communications and Network Security (CNS)
Conference Dates: April 29-May 2, 2019
Conference Location: Washington D.C., DC
Pub Type: Conferences

Keywords

Machine Learning (ML), Artificial Intelligence (AI), Bot, Botnet, Cloud
Created June 10, 2019, Updated October 06, 2019