Skip to main content
SpringerLink
Log in

INC: In-Network Classification of Botnet Propagation at Line Rate

  • Conference paper
  • First Online:
Computer Security – ESORICS 2022 (ESORICS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13554))

Included in the following conference series:

Abstract

The ever-increasing botnet presence has enabled attackers to compromise millions of nodes and launch a plethora of Internet-scale coordinated attacks within a very short period of time. While the challenge of identifying and patching the vulnerabilities that these botnets exploit in a timely manner has proven elusive, a more promising solution is to mitigate such exploitation attempts at core traffic transmission mediums, such as within the forwarding devices of ISPs, backbones, and other high-rate network environments. To this end, we present an In-Network Classification (INC) technique to fingerprint the spread of botnets at wire-speed within busy networks. In particular, INC employs a unique bagging classification system residing entirely within programmable switch hardware in order to classify and subsequently mitigate bot infections amid Tbps traffic rates. Additionally, INC immediately pushes the data plane features of mitigated bots to the controller to infer botnet orchestration in real-time via behavioral clustering. INC was comprehensively evaluated against several datasets and achieved state-of-the-art results while reducing the detection times of comparable techniques by several orders of magnitude. Further, we demonstrate that INC can generalize well to previously unseen botnets.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Alieyan, K., Almomani, A., Anbar, M., Alauthman, M., Abdullah, R., Gupta, B.B.: DNS rule-based schema to botnet detection. Enterp. Inf. Syst. 15(4), 545–564 (2021)

    Article  Google Scholar 

  2. Antonakakis, M., et al.: Understanding the mirai botnet. In: 26th \(\{\)USENIX\(\}\) security symposium (\(\{\)USENIX\(\}\) Security 17), pp. 1093–1110 (2017)

    Google Scholar 

  3. Barradas, D., Santos, N., Rodrigues, L., Signorello, S., Ramos, F.M., Madeira, A.: FlowLens: enabling efficient flow classification for ml-based network security applications. In: Proceedings of the 28th Network and Distributed System Security Symposium, San Diego, CA, USA (2021)

    Google Scholar 

  4. Bosshart, P., et al.: P4: programming protocol-independent packet processors. ACM SIGCOMM Comput. Commun. Rev. 44(3), 87–95 (2014)

    Article  Google Scholar 

  5. CAIDA (2021). http://www.caida.org/data/passive/passive_dataset.xml

  6. Canada, P.: Bill C-28. https://www.parl.ca/DocumentViewer/en/40-3/bill/C-28/third-reading

  7. Cozzi, E., Vervier, P.A., Dell’Amico, M., Shen, Y., Bilge, L., Balzarotti, D.: The tangled genealogy of IoT malware. In: Annual Computer Security Applications Conference, pp. 1–16 (2020)

    Google Scholar 

  8. Dainotti, A., King, A., Claffy, K., Papale, F., Pescapé, A.: Analysis of a “/0’’stealth scan from a botnet. IEEE/ACM Trans. Networking 23(2), 341–354 (2014)

    Article  Google Scholar 

  9. Fachkha, C., Bou-Harb, E., Keliris, A., Memon, N.D., Ahamad, M.: Internet-scale probing of CPS: inference, characterization and orchestration analysis. In: NDSS (2017)

    Google Scholar 

  10. Garcia, S., Grill, M., Stiborek, J., Zunino, A.: An empirical comparison of botnet detection methods. comput. Secur. 45, 100–123 (2014)

    Google Scholar 

  11. Guerra-Manzanares, A., Medina-Galindo, J., Bahsi, H., Nõmm, S.: MedBIoT: generation of an IoT botnet dataset in a medium-sized IoT network. In: ICISSP, pp. 207–218 (2020)

    Google Scholar 

  12. Hauser, F., et al.: A survey on data plane programming with p4: fundamentals, advances, and applied research. arXiv preprint arXiv:2101.10632 (2021)

  13. Intel: Intel® tofino™ 3 intelligent fabric processor brief. https://www.intel.com/content/www/us/en/products/network-io/programmable-ethernet-switch/tofino-3-brief.html

  14. Jepsen, T., et al.: Fast string searching on PISA. In: Proceedings of the 2019 ACM Symposium on SDN Research, pp. 21–28 (2019)

    Google Scholar 

  15. Kingma, D.P., Ba, J.: Adam: a method for stochastic optimization. arXiv preprint arXiv:1412.6980 (2014)

  16. Kumar, A., Lim, T.J.: Edima: early detection of IoT malware network activity using machine learning techniques. In: 2019 IEEE 5th World Forum on Internet of Things (WF-IoT), pp. 289–294. IEEE (2019)

    Google Scholar 

  17. Letteri, I., Della Penna, G., De Gasperis, G.: Botnet detection in software defined networks by deep learning techniques. In: Castiglione, A., Pop, F., Ficco, M., Palmieri, F. (eds.) CSS 2018. LNCS, vol. 11161, pp. 49–62. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01689-0_4

    Chapter  Google Scholar 

  18. McInnes, L., Healy, J., Astels, S.: hdbscan: hierarchical density based clustering. J. Open Source Softw. 2(11), 205 (2017)

    Article  Google Scholar 

  19. NetSecResearch (2021). https://github.com/NetSecResearch/INC

  20. Networks, E.: Programmable Tofino switches for data centers. https://www.edge-core.com/productsInfo.php?id=335

  21. Pastore, M., Calcagnì, A.: Measuring distribution similarities between samples: a distribution-free overlapping index. Front. Psychol. 10, 1089 (2019)

    Article  Google Scholar 

  22. Pour, M.S., et al.: On data-driven curation, learning, and analysis for inferring evolving internet-of-things (IoT) botnets in the wild. Comput. Secur. 91, 101707 (2020)

    Article  Google Scholar 

  23. Rahbarinia, B., Perdisci, R., Lanzi, A., Li, K.: PeerRush: mining for unwanted p2p traffic. J. Inf. Secur. Appl. 19(3), 194–208 (2014)

    Google Scholar 

  24. Sandbox, T.: Hatching Triage (2022). https://hatching.io/triage/

  25. Sanvito, D., Siracusano, G., Bifulco, R.: Can the network be the AI accelerator? In: Proceedings of the 2018 Morning Workshop on In-Network Computing, pp. 20–25 (2018)

    Google Scholar 

  26. Sapio, et al.: Scaling distributed machine learning with in-network aggregation. arXiv preprint arXiv:1903.06701 (2019)

  27. Sapio, A., Abdelaziz, I., Aldilaijan, A., Canini, M., Kalnis, P.: In-network computation is a dumb idea whose time has come. In: Proceedings of the 16th ACM Workshop on Hot Topics in Networks, pp. 150–156 (2017)

    Google Scholar 

  28. Schubert, E., Sander, J., Ester, M., Kriegel, H.P., Xu, X.: DBSCAN revisited, revisited: why and how you should (still) use DBSCAN. ACM Trans. Database Syst. (TODS) 42(3), 1–21 (2017)

    Article  MathSciNet  Google Scholar 

  29. Siracusano, G., Bifulco, R.: In-network neural networks. arXiv preprint arXiv:1801.05731 (2018)

  30. Stratosphere: Stratosphere laboratory datasets (2015). Accessed 13 Mar 2020. https://www.stratosphereips.org/datasets-overview

  31. Tanabe, R., et al.: Disposable botnets: examining the anatomy of IoT botnet infrastructure. In: Proceedings of the 15th International Conference on Availability, Reliability and Security, pp. 1–10 (2020)

    Google Scholar 

  32. Turkovic, B., Kuipers, F., van Adrichem, N., Langendoen, K.: Fast network congestion detection and avoidance using p4. In: Proceedings of the 2018 Workshop on Networking for Emerging Applications and Technologies, pp. 45–51 (2018)

    Google Scholar 

  33. Xiong, Z., Zilberman, N.: Do switches dream of machine learning? toward in-network classification. In: Proceedings of the 18th ACM Workshop on Hot Topics in Networks, pp. 25–33 (2019)

    Google Scholar 

  34. Xu, Z., Chen, L., Gu, G., Kruegel, C.: PeerPress: utilizing enemies’ p2p strength against them. In: Proceedings of the 2012 ACM conference on Computer and communications security, pp. 581–592 (2012)

    Google Scholar 

  35. Yang, F., Wang, Z., Ma, X., Yuan, G., An, X.: SwitchAgg: a further step towards in-network computation. arXiv preprint arXiv:1904.04024 (2019)

  36. Zhang, J., Perdisci, R., Lee, W., Sarfraz, U., Luo, X.: Detecting stealthy p2p botnets using statistical traffic fingerprints. In: 2011 IEEE/IFIP 41st International Conference on Dependable Systems & Networks (DSN), pp. 121–132. IEEE (2011)

    Google Scholar 

  37. Zhang, M., et al.: Poseidon: mitigating volumetric DDoS attacks with programmable switches. In: the 27th Network and Distributed System Security Symposium (NDSS 2020) (2020)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. The Cyber Center for Security and Analytics, The University of Texas at San Antonio, San Antonio, USA

    Kurt Friday & Elias Bou-Harb

  2. Integrated Information Technology, The University of South Carolina, Columbia, USA

    Elie Kfoury & Jorge Crichigno

Authors
  1. Kurt Friday
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Elie Kfoury
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Elias Bou-Harb
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jorge Crichigno
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Kurt Friday or Elias Bou-Harb .

Editor information

Editors and Affiliations

  1. Rutgers University, Newark, NJ, USA

    Vijayalakshmi Atluri

  2. Hamad Bin Khalifa University, Doha, Qatar

    Roberto Di Pietro

  3. Technical University of Denmark, Kongens Lyngby, Denmark

    Christian D. Jensen

  4. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Friday, K., Kfoury, E., Bou-Harb, E., Crichigno, J. (2022). INC: In-Network Classification of Botnet Propagation at Line Rate. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13554. Springer, Cham. https://doi.org/10.1007/978-3-031-17140-6_27

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17140-6_27

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17139-0

  • Online ISBN: 978-3-031-17140-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation