PI-BODE: Programmable Intraflow-based IoT Botnet Detection system

In this paper, we propose a Programmable Intraflow-based IoT Botnet Detection (PI -BODE) system. PI -BODE is based on the detection of the Command and Control (C&C) communication between infected devices and the botmaster. This approach allows detecting malicious communication before any attacks occur. Unlike the majority of existing work, this detection method is based on the analysis of the traffic intraflow statistical parameters. Such an analysis makes the method more scalable and less hardware demanding in operation, while having a higher or equal level of detection accuracy compared to the packet capture based tools and methods. PI -BODE system leverages programmable network elements and Software Defined Networks (SDN) to extract intraflow features from flow time series in real time, while the flows are active. This procedure was verified on two datasets, whose data were gathered during the time span of more than two years: one captured by the authors of the paper and the other, IoT23.