Abstract
Botnets are nowadays one of the most widespread and dangerous kind of malware on the internet, so their detection is a very important task. However, many works in this field exploit general malware detection techniques and rely on old or biased traffic samples, which make their results not completely reliable. Moreover, software-defined networking (SDN), which is increasingly replacing conventional networking, drastically limits the number of features that can be extracted from the network traffic and therefore used to detect botnets. In this paper we propose a novel botnet-specific detection methodology based on deep learning techniques, which has been experimented on a new, SDN-specific dataset and reached a very high (up to 96%) traffic classification accuracy. Our algorithms have been implemented on two state-of-the-art frameworks, i.e., Keras and TensorFlow, so we are confident that our experimentation results are reliable and easily reproducible.
Keywords
This work was partially supported by the Cyber Trainer project (POR FESR Abruzzo 2014–2020).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abadi, M., et al.: TensorFlow: large-scale machine learning on heterogeneous systems (2015). https://www.tensorflow.org/, software available from tensorflow.org
Abu Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement, pp. 41–52. IMC 2006. ACM, New York, NY, USA (2006). https://doi.org/10.1145/1177080.1177086
Antonakakis, M., et al.: Understanding the mirai botnet. In: Proceedings of the 26th USENIX Conference on Security Symposium, SEC 2017, pp. 1093–1110. USENIX Association, Berkeley, CA, USA (2017)
Bailey, M., Cooke, E., Jahanian, F., Xu, Y., Karir, M.: A survey of botnet technology and defenses. In: Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security, CATCH 2009, pp. 299–304. IEEE Computer Society, Washington, DC, USA (2009). https://doi.org/10.1109/CATCH.2009.40
Bottou, L.: Stochastic gradient learning in neural networks. In: Proceedings of Neuro-Nîmes 91. EC2, Nimes, France (1991). http://leon.bottou.org/papers/bottou-91c
Chollet, F., et al.: Keras: the python deep learning library (2018). https://keras.io
D’Angelo, G., Rampone, S., Palmieri, F.: An artificial intelligence-based trust model for pervasive computing. In: 2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing (3PGCIC), pp. 701–706 (2015). https://doi.org/10.1109/3PGCIC.2015.94
D’Angelo, G., Rampone, S., Palmieri, F.: Developing a trust model for pervasive computing based on Apriori association rules learning and Bayesian classification. Soft Comput. 21(21), 6297–6315 (2017). https://doi.org/10.1007/s00500-016-2183-1
Dheeru, D., Karra Taniskidou, E.: UCI machine learning repository: KDD cup 1999 data data set (2018). https://archive.ics.uci.edu/ml/datasets/kdd+cup+1999+data
Duchi, J., Hazan, E., Singer, Y.: Adaptive subgradient methods for online learning and stochastic optimization. J. Mach. Learn. Res. 12, 2121–2159 (2011)
Garca, S., Grill, M., Stiborek, J., Zunino, A.: An empirical comparison of botnet detection methods. Comput. Secur. 45, 100–123 (2014). https://doi.org/10.1016/j.cose.2014.05.011
Glorot, X., Bordes, A., Bengio, Y.: Deep sparse rectifier neural networks. In: Proceedings of the Fourteenth International Conference on Artificial Intelligence and Statistics, pp. 315–323 (2011)
Hinton, G.: RMSprop: divide the gradient by a running average of its recent magnitude (lecture 6e) (2018). http://www.cs.toronto.edu/~tdijmen/csc321/slides/lecture_slides_lec6.pdf
Jankowski, D., Amanowicz, M.: Intrusion detection in software defined networks with self-organized maps. J. Telecommun. Inf. Technol. 2015(4), 3–9 (2015)
Kalaivani, P., Vijaya, M.: Mining based detection of botnet traffic in network flow. IRACST-Int. J. Comput. Sci. Inf. Technol. Secur. 06, 535–541 (2016)
Kamal, B., Abdeslam, E.F., Abdelbaki, E.E.: Software defined networking (SDN): a survey. Secur. Commun. Netw. 9(18), 5803–5833 (2016). https://doi.org/10.1002/sec.1737
Kingma, D.P., Ba, J.: Adam: a method for stochastic optimization. CoRR (2014). http://arxiv.org/abs/1412.6980
Kotsiantis, S., Kanellopoulos, D., Pintelas, P.: Handling imbalanced datasets: a review. GESTS Int. Trans. Comput. Sci. Eng. 30, 25–36 (2005)
LeCun, Y., Bengio, Y., Hinton, G.: Deep learning. Nature 521(7553), 436 (2015)
Letteri, I., Del Rosso, M., Caianiello, P., Cassioli, D.: Performance of botnet detection by neural networks in software-defined networks. In: Proceedings of the Second Italian Conference on Cyber Security, Milan, Italy, 6th–9th February 2018. (2018). http://ceur-ws.org/Vol-2058/paper-03.pdf
Letteri, I., Della Penna, G.: Sources for botnet detection experiments on SDN networks through machine lerarning techinques (2018). https://github.com/gdellapenna/BotNet-SDN-ML
Miller, S., Busby-Earle, C.: The role of machine learning in botnet detection. In: 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST), December 2016. https://doi.org/10.1109/ICITST.2016.7856730
Oliphant, T.: Numpy (2018). http://www.numpy.org
Open Networking Foundation: Openflow switch specification, version 1.3.0 (2012). https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.3.0.pdf
Pedregosa, F., et al.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)
Quittek, J., Zseby, T., Claise, B., Zander, S.: Requirements for IP flow information export (IPFIX) (2004). https://tools.ietf.org/html/rfc3917
Resende, P.A.A., Drummond, A.C.: The hogzilla dataset (2018). http://ids-hogzilla.org/dataset
Seide, F., Agarwal, A.: CNTK: microsoft’s open-source deep-learning toolkit. In: Proceedings of the 22nd ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD 2016, pp. 2135–2135. ACM, New York, NY, USA (2016). https://doi.org/10.1145/2939672.2945397
Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31, 357–374 (2012). (report)
Srivastava, N., Hinton, G., Krizhevsky, A., Sutskever, I., Salakhutdinov, R.: Dropout: a simple way to prevent neural networks from overfitting. J. Mach. Learn. Res. 15, 1929–1958 (2014). http://jmlr.org/papers/v15/srivastava14a.html
Tang, T.A., Mhamdi, L., McLernon, D., Zaidi, S.A.R., Ghogho, M.: Deep learning approach for network intrusion detection in software defined networking. In: 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM), October 2016. https://doi.org/10.1109/WINCOM.2016.7777224
Tanwar, G.S., Goar, V.: Tools, techniques & analysis of botnet. In: Proceedings of the 2014 International Conference on Information and Communication Technology for Competitive Strategies, ICTCS 2014, pp. 92:1–92:5. ACM, New York, NY, USA (2014). https://doi.org/10.1145/2677855.2677947
Tariq, F., Baig, S.: Machine learning based botnet detection in software defined networks. Int. J. Secur. Appl. 11, 1–12 (2017)
Theano Development Team: Theano: A Python framework for fast computation of mathematical expressions. arXiv e-prints abs/1605.02688, May 2016. http://arxiv.org/abs/1605.02688
Van, N.T., Thinh, T.N., Sach, L.T.: An anomaly-based network intrusion detection system using deep learning. In: 2017 International Conference on System Science and Engineering (ICSSE), pp. 210–214, July 2017. https://doi.org/10.1109/ICSSE.2017.8030867
Vincent, P., Larochelle, H., Lajoie, I., Bengio, Y., Manzagol, P.A.: Stacked denoising autoencoders: Learning useful representations in a deep network with a local denoising criterion. J. Mach. Learn. Res. 11(Dec), 3371–3408 (2010)
Wang, W., Zhu, M., Zeng, X., Ye, X., Sheng, Y.: Malware traffic classification using convolutional neural network for representation learning. In: 2017 International Conference on Information Networking (ICOIN), pp. 712–717, January 2017. https://doi.org/10.1109/ICOIN.2017.7899588
Wijesinghe, U., Tupakula, U., Varadharajan, V.: Botnet detection using software defined networking. In: 2015 22nd International Conference on Telecommunications (ICT), pp. 219–224 (2015)
Winter, P., Hermann, E., Zeilinger, M.: Inductive intrusion detection in flow-based network data using one-class support vector machines. In: 2011 4th IFIP International Conference on New Technologies, Mobility and Security, February 2011
Zeiler, M.D.: ADADELTA: an adaptive learning rate method. CoRR abs/1212.5701 (2012). http://arxiv.org/abs/1212.5701
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer Nature Switzerland AG
About this paper
Cite this paper
Letteri, I., Della Penna, G., De Gasperis, G. (2018). Botnet Detection in Software Defined Networks by Deep Learning Techniques. In: Castiglione, A., Pop, F., Ficco, M., Palmieri, F. (eds) Cyberspace Safety and Security. CSS 2018. Lecture Notes in Computer Science(), vol 11161. Springer, Cham. https://doi.org/10.1007/978-3-030-01689-0_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-01689-0_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-01688-3
Online ISBN: 978-3-030-01689-0
eBook Packages: Computer ScienceComputer Science (R0)