Abstract
The ever-increasing botnet presence has enabled attackers to compromise millions of nodes and launch a plethora of Internet-scale coordinated attacks within a very short period of time. While the challenge of identifying and patching the vulnerabilities that these botnets exploit in a timely manner has proven elusive, a more promising solution is to mitigate such exploitation attempts at core traffic transmission mediums, such as within the forwarding devices of ISPs, backbones, and other high-rate network environments. To this end, we present an In-Network Classification (INC) technique to fingerprint the spread of botnets at wire-speed within busy networks. In particular, INC employs a unique bagging classification system residing entirely within programmable switch hardware in order to classify and subsequently mitigate bot infections amid Tbps traffic rates. Additionally, INC immediately pushes the data plane features of mitigated bots to the controller to infer botnet orchestration in real-time via behavioral clustering. INC was comprehensively evaluated against several datasets and achieved state-of-the-art results while reducing the detection times of comparable techniques by several orders of magnitude. Further, we demonstrate that INC can generalize well to previously unseen botnets.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alieyan, K., Almomani, A., Anbar, M., Alauthman, M., Abdullah, R., Gupta, B.B.: DNS rule-based schema to botnet detection. Enterp. Inf. Syst. 15(4), 545–564 (2021)
Antonakakis, M., et al.: Understanding the mirai botnet. In: 26th \(\{\)USENIX\(\}\) security symposium (\(\{\)USENIX\(\}\) Security 17), pp. 1093–1110 (2017)
Barradas, D., Santos, N., Rodrigues, L., Signorello, S., Ramos, F.M., Madeira, A.: FlowLens: enabling efficient flow classification for ml-based network security applications. In: Proceedings of the 28th Network and Distributed System Security Symposium, San Diego, CA, USA (2021)
Bosshart, P., et al.: P4: programming protocol-independent packet processors. ACM SIGCOMM Comput. Commun. Rev. 44(3), 87–95 (2014)
CAIDA (2021). http://www.caida.org/data/passive/passive_dataset.xml
Canada, P.: Bill C-28. https://www.parl.ca/DocumentViewer/en/40-3/bill/C-28/third-reading
Cozzi, E., Vervier, P.A., Dell’Amico, M., Shen, Y., Bilge, L., Balzarotti, D.: The tangled genealogy of IoT malware. In: Annual Computer Security Applications Conference, pp. 1–16 (2020)
Dainotti, A., King, A., Claffy, K., Papale, F., Pescapé, A.: Analysis of a “/0’’stealth scan from a botnet. IEEE/ACM Trans. Networking 23(2), 341–354 (2014)
Fachkha, C., Bou-Harb, E., Keliris, A., Memon, N.D., Ahamad, M.: Internet-scale probing of CPS: inference, characterization and orchestration analysis. In: NDSS (2017)
Garcia, S., Grill, M., Stiborek, J., Zunino, A.: An empirical comparison of botnet detection methods. comput. Secur. 45, 100–123 (2014)
Guerra-Manzanares, A., Medina-Galindo, J., Bahsi, H., Nõmm, S.: MedBIoT: generation of an IoT botnet dataset in a medium-sized IoT network. In: ICISSP, pp. 207–218 (2020)
Hauser, F., et al.: A survey on data plane programming with p4: fundamentals, advances, and applied research. arXiv preprint arXiv:2101.10632 (2021)
Intel: Intel® tofino™ 3 intelligent fabric processor brief. https://www.intel.com/content/www/us/en/products/network-io/programmable-ethernet-switch/tofino-3-brief.html
Jepsen, T., et al.: Fast string searching on PISA. In: Proceedings of the 2019 ACM Symposium on SDN Research, pp. 21–28 (2019)
Kingma, D.P., Ba, J.: Adam: a method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014)
Kumar, A., Lim, T.J.: Edima: early detection of IoT malware network activity using machine learning techniques. In: 2019 IEEE 5th World Forum on Internet of Things (WF-IoT), pp. 289–294. IEEE (2019)
Letteri, I., Della Penna, G., De Gasperis, G.: Botnet detection in software defined networks by deep learning techniques. In: Castiglione, A., Pop, F., Ficco, M., Palmieri, F. (eds.) CSS 2018. LNCS, vol. 11161, pp. 49–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01689-0_4
McInnes, L., Healy, J., Astels, S.: hdbscan: hierarchical density based clustering. J. Open Source Softw. 2(11), 205 (2017)
NetSecResearch (2021). https://github.com/NetSecResearch/INC
Networks, E.: Programmable Tofino switches for data centers. https://www.edge-core.com/productsInfo.php?id=335
Pastore, M., Calcagnì, A.: Measuring distribution similarities between samples: a distribution-free overlapping index. Front. Psychol. 10, 1089 (2019)
Pour, M.S., et al.: On data-driven curation, learning, and analysis for inferring evolving internet-of-things (IoT) botnets in the wild. Comput. Secur. 91, 101707 (2020)
Rahbarinia, B., Perdisci, R., Lanzi, A., Li, K.: PeerRush: mining for unwanted p2p traffic. J. Inf. Secur. Appl. 19(3), 194–208 (2014)
Sandbox, T.: Hatching Triage (2022). https://hatching.io/triage/
Sanvito, D., Siracusano, G., Bifulco, R.: Can the network be the AI accelerator? In: Proceedings of the 2018 Morning Workshop on In-Network Computing, pp. 20–25 (2018)
Sapio, et al.: Scaling distributed machine learning with in-network aggregation. arXiv preprint arXiv:1903.06701 (2019)
Sapio, A., Abdelaziz, I., Aldilaijan, A., Canini, M., Kalnis, P.: In-network computation is a dumb idea whose time has come. In: Proceedings of the 16th ACM Workshop on Hot Topics in Networks, pp. 150–156 (2017)
Schubert, E., Sander, J., Ester, M., Kriegel, H.P., Xu, X.: DBSCAN revisited, revisited: why and how you should (still) use DBSCAN. ACM Trans. Database Syst. (TODS) 42(3), 1–21 (2017)
Siracusano, G., Bifulco, R.: In-network neural networks. arXiv preprint arXiv:1801.05731 (2018)
Stratosphere: Stratosphere laboratory datasets (2015). Accessed 13 Mar 2020. https://www.stratosphereips.org/datasets-overview
Tanabe, R., et al.: Disposable botnets: examining the anatomy of IoT botnet infrastructure. In: Proceedings of the 15th International Conference on Availability, Reliability and Security, pp. 1–10 (2020)
Turkovic, B., Kuipers, F., van Adrichem, N., Langendoen, K.: Fast network congestion detection and avoidance using p4. In: Proceedings of the 2018 Workshop on Networking for Emerging Applications and Technologies, pp. 45–51 (2018)
Xiong, Z., Zilberman, N.: Do switches dream of machine learning? toward in-network classification. In: Proceedings of the 18th ACM Workshop on Hot Topics in Networks, pp. 25–33 (2019)
Xu, Z., Chen, L., Gu, G., Kruegel, C.: PeerPress: utilizing enemies’ p2p strength against them. In: Proceedings of the 2012 ACM conference on Computer and communications security, pp. 581–592 (2012)
Yang, F., Wang, Z., Ma, X., Yuan, G., An, X.: SwitchAgg: a further step towards in-network computation. arXiv preprint arXiv:1904.04024 (2019)
Zhang, J., Perdisci, R., Lee, W., Sarfraz, U., Luo, X.: Detecting stealthy p2p botnets using statistical traffic fingerprints. In: 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN), pp. 121–132. IEEE (2011)
Zhang, M., et al.: Poseidon: mitigating volumetric DDoS attacks with programmable switches. In: the 27th Network and Distributed System Security Symposium (NDSS 2020) (2020)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Friday, K., Kfoury, E., Bou-Harb, E., Crichigno, J. (2022). INC: In-Network Classification of Botnet Propagation at Line Rate. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13554. Springer, Cham. https://doi.org/10.1007/978-3-031-17140-6_27
Download citation
DOI: https://doi.org/10.1007/978-3-031-17140-6_27
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17139-0
Online ISBN: 978-3-031-17140-6
eBook Packages: Computer ScienceComputer Science (R0)