Line rate botnet detection with SmartNIC-embedded feature extraction

Abstract

Botnets pose a significant threat in network security, exacerbated by the massive adoption of vulnerable Internet-of-Things (IoT) devices. In response to that, great research effort has taken place to propose intrusion detection solutions to the botnet menace. As most techniques focus on either packet or flow granularity, port-based analysis can help detecting newly developed botnets, especially during their early propagation phase. In this paper, we introduce a line rate distributed anomaly detection system that employs NetFPGA Smart-Network Interface Cards (SmartNIC) as programmable switches. Per-port feature extraction modules are deployed directly on the data plane, enabling a centralized controller to periodically retrieve collected metrics, and feed them to a botnet detection algorithm we refine from the state of the art. We evaluate our system using real world traces spanning several months from 2016 and 2023. We show how our solutions allow keeping low the number of anomalies detected, retaining only the most relevant ones, thanks to the distributed monitoring approach that helps discriminating systemic changes from local phenomena. Furthermore, we provide an analysis of the most significant alerts, accounting for the limited ground-truth on the dataset.