Multiclass Machine Learning Based Botnet Detection in Software Defined Networks

Continuously evolving nature of botnet by using innovative approaches and technologies derives the need for continuous improvement of botnet detection solutions. The state of the art network approaches in literature targeting network header level information only for behavioral-based detection. These techniques applying machine learning algorithms to automatically detect botnet patterns from network flows. The current work in flow-based approaches exploring SDNs to overcome traditional IP network complexities. The Software defined network technology platform with centralized visibility and control provide an opportunity to redesign these approaches. The current SDNs based proposed approaches apply binary classification to decide if the detected flow belongs to a botnet or not. This work proposed a multiclass machine learning based approach to address botnet problem in SDNs. The proposed scheme applies multiple binary classifiers each trained for a specific type of botnet class. These focused classifiers performed better in the detection of the specific type of botnet. The proposed approach uses the flow trace concept. The features are extracted for each detected flow trace and fed into these focused classifiers. These features are examined by all classifiers and detected label is added for each processed flow trace. These labels are aggregated in the second stage to decide if a flow trace belongs to any botnet class or not. This additional information of a class of the detected botnet trace is helpful during the incident response process. The experiments for evaluation of the proposed work are performed on real-world traffic traces and the result shows promising detection rate with the capability to detect unknown botnet.