SDN-inspired, real-time botnet detection and flow-blocking at ISP and enterprise-level

Infected machines pose threats to not only their users, but also their network owners (ISPs and enterprises). To neutralize the effect of these infected machines, common solutions span two ends of an architectural spectrum; either fully distributed solutions that are host-based, or completely centralized appliances at the network core. We present NetworkRadar, inspired by an SDN-enabled ISP framework, that operates in between these extremes and contains the benefits of both these approaches. We perform data-plane intensive event monitoring at aggregation points close to customers, and maintain a centralized control plane for correlating and high-granularity blocking of malicious bot activity. Here we present the architecture of our solution and evaluate a prototype deployment over an isolated slice of an ISP network, showing its viability due to a negligible (<;1%) impact on customer throughput and its control plane scaling linearly to the customer base.

[1]  J. Pearl Causality: Models, Reasoning and Inference , 2000 .

[2]  Vern Paxson,et al.  Outside the Closed World: On Using Machine Learning for Network Intrusion Detection , 2010, 2010 IEEE Symposium on Security and Privacy.

[3]  Nick McKeown,et al.  OpenFlow: enabling innovation in campus networks , 2008, CCRV.

[4]  Syed Ali Khayam,et al.  Rapid and scalable isp service delivery through a programmable middlebox , 2014, CCRV.

[5]  Mabry Tyson,et al.  FRESCO: Modular Composable Security Services for Software-Defined Networks , 2013, NDSS.

[6]  Kwan-Liu Ma,et al.  Interactive Visualization for Network and Port Scan Detection , 2005, RAID.

[7]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[8]  Syed Ali Khayam,et al.  Poster : Bottleneck : A Generalized , Flexible , and Extensible Framework for Botnet Defense , 2012 .

[9]  Syed Ali Khayam,et al.  A Taxonomy of Botnet Behavior, Detection, and Defense , 2014, IEEE Communications Surveys & Tutorials.

[10]  Christopher Krügel,et al.  A multi-model approach to the detection of web-based attacks , 2005, Comput. Networks.

[11]  Kang G. Shin,et al.  Good guys vs. Bot Guise: Mimicry attacks against fast-flux detection systems , 2011, 2011 Proceedings IEEE INFOCOM.

[12]  Syed Ali Khayam,et al.  POSTER: BotFlex: a community-driven tool for botnetdetection , 2013, CCS.

[13]  Vyas Sekar,et al.  Design and Implementation of a Consolidated Middlebox Architecture , 2012, NSDI.

[14]  Mark S. Fox,et al.  An Organizational View of Distributed Systems , 1988, IEEE Transactions on Systems, Man, and Cybernetics.

[15]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.