Machine Learning Based Botnet Detection in Software Defined Networks

Abstract

This paper proposed a flow-based approach to detect botnet by applying machine learning algorithms to software defined networks without reading packet payload. The proposed work uses network flows as input and process it in two windows based modules to extract a statistical feature set to be used for classification. The first module process network flow stream to extract flow traces. The window size of this module is 10 which means a flow trace with 10 flows is considered as a trace of interest and forwarded to the next module for further processing. The second module processes the selected trace and fetches historical flows in last 60-minute window for the source and destination IPs of the trace. The feature set is extracted from selected trace and relevant historical flows. The approach applies supervised decision tree based machine learning algorithm to create a model during a training phase using extracted feature set. This model is then used to classify flow traces during the testing phase. The dataset for experimentation is extracted from publicly available real botnet and normal traces. The experimental findings show that the method is capable to detect unknown botnet. The results show detection rate of 97% for known botnets and 90% for unknown botnets.