=Paper=
{{Paper
|id=Vol-2058/paper-03
|storemode=property
|title=Performance of Botnet Detection by Neural Networks in Software-Defined Networks
|pdfUrl=https://ceur-ws.org/Vol-2058/paper-03.pdf
|volume=Vol-2058
|authors=Ivan Letteri,Massimo Del Rosso,Pasquale Caianiello,Dajana Cassioli
|dblpUrl=https://dblp.org/rec/conf/itasec/LetteriRCC18
}}
==Performance of Botnet Detection by Neural Networks in Software-Defined Networks==
https://ceur-ws.org/Vol-2058/paper-03.pdf
Performance of Botnet Detection by Neural Networks in
Software-Defined Networks
Ivan Letteri, Massimo Del Rosso, Pasquale Caianiello, and Dajana Cassioli
Department of Information Engineering, Computer Science and Mathematics,
University of L’Aquila, via Vetoio snc, 67100 L’Aquila, Italy
ivan.letteri@graduate.univaq.it,massimo.delrosso@gmail.com,
pasquale.caianiello@univaq.it,dajana.cassioli@univaq.it
Abstract
The recent evolution of Internet to new paradigms such as network function virtual-
ization and software defined networking poses new relevant challenges to the detection of
Botnet attacks, calling for innovative approaches. In this work we propose a detection
mechanism based on an Artificial Neural Net classifier trained by available data sets col-
lected in conventional networks. We apply such detection mechanism to the timely use
case scenario of a software defined network infected by the dangerous Botnet Mirai, circu-
lating in October 2016. Experimental results show an accuracy of Botnet detection higher
than 99%, thus outperforming available Botnet detection mechanisms currently used in
conventional networks.
Keywords: Botnet, Malware, Software Defined Network, Mininet, Network Intrusion Detec-
tion and Prevention System, OpenDaylight, Machine Learning, Neural Network.
1 Introduction
Nowadays, botnets represent one of the most important and dangerous threats in Internet [10]. A
Botnet consists of a set of machines compromised by a malware (referred to as bots), managed by a
BotMaster. The main goal of a Botnet is to carry out malicious activities, executing the commands
given by the “Command & Control” (C&C) server, managed by the Botmaster. A major challenge
in current schemes for intrusion detection and/or prevention systems lies in the analysis of the time-
varying behaviour of interactions between the bot masters and the bots, followed by relevance by the
Botnet Deception and Obfuscation techniques.
The emerging paradigm of software defined networks (SDNs) represents a very promising frame-
work for the implementation of effective botnet detection and/or prevention strategies. Actually, the
decoupling of the control plane from the network switching infrastructure (data plane) provides a di-
rectly programmable and centralised logic to monitor and manage the network status, in particular for
the acquisition of statistics relevant to security threats detection. Several intrusion prevention systems
(IPSs) and intrusion detection systems (IDSs) have been proposed in the literature so far for SDNs.
A common approach is to extend the functionality of OpenFlow switches to include a programmable
middlebox with a IDS and/or IPS [17]. A collaborative intrusion prevention architecture for SDNs is
proposed in [2], where programmable switches of the network play the role of neurons in a neural
network (NN) that leverages their parallel and mathematical manipulation. An unsupervised NN
using the Kohonen algorithm trained to recognize unauthorized activities in a SDN managed from
OpenDayLight (ODL) controller in combination with Network Function Virtualization (NFV) has been
also proposed in [5]. It is based on a Self-Organized Map (SOM) learning method for the classification
problem phase to build an IPS for DDoS attacks mitigation. Schehlmann, et al. [13] introduces a
botnet detector and mitigation framework for large-scale networks using the NetFlow technology.
The fundamental problem in NN-based botnet detection is the definition of suitable discriminators1
to filter malicious traffic against regular traffic in the network. The comprehensive analysis of network
1 Discriminators are referred to as features in Machine Learning jargon.
�Performance of Botnet Detection by NN in SDNs I. Letteri, M. Del Rosso, P. Caianiello and D. Cassioli
traffic presented in [9] determined two hundred discriminators as the set of the most significant ones. A
botnet classification strategy based on the centralised collection of network flow counters in SDNs, and
the use of a supervised C4.5 decision tree classification algorithm, is proposed in [15]. Their experiments
show that OpenFlow counters represent suitable features to distinguish bot-malware patterns among
general network traffic flows. Network-based intrusion detection and prevention systems relying on
the SDN ODL controller to evaluate performance against Denial of Service (DoS) is proposed in [8],
based on a C4.5 decision tree model built on the Darpa 99 dataset, and a pre-processing phase to store
network packet via packet sniffers.
In our work we propose a simplified technique which is proved to provide high accuracy in the
detection of Botnets in SDNs. The presented results demonstrate that it is possible to detect malicious
traffic effectively by analyzing only the OpenFlow 1.3 messages exchanged by network nodes and the
controller. Our approach relies on the traffic classification by an artificial neural network (ANN) to
identify Botnets in a SDN as playground. Such ANN is trained with a data training set (TS) obtained
by a Botnet attack running in conventional networks (CN), i.e. non SDN. The paper is organized as
follows. Sec. 2 introduces the SDN architecture, and methods for choosing the appropriate features to
train the ANN for Botnet detection. Sec. 2.3 presents our proposed machine learning technique. Sec. 3
introduces the case study of the Botnet Mirai, emulated on our virtual network, and summarizes the
results obtained in the experimentations, showing the performance of our ANN approach in detecting
Mirai traffic and discussing its limitations. Finally, conclusions and possible future work are presented
in Sec. 4.
2 Botnet Detection Technique
2.1 System Architecture
The proposed approach relies on the passive monitoring of network traffic in SDNs, resulting in a
more lightweight approach than Deep Packet Inspection (DPI) methods. The schematic of the system
architecture is shown in the principle diagram in Fig. 1.
Figure 1: Principle diagram of the system architecture.
A SDN allows a single controller to orchestrate an entire network of switches. The SDN architecture
is split in three layers: the lowest layer (Data Layer ) is composed by hardware and virtual switches and
is interfaced to the upper layer (Control Layer ) by the Southbound APIs; the Control Layer (indicated
as SDN Controller in Fig. 1) defines the entire network performance by monitoring and configuring the
network entities; the top layer is the Application Layer, interfaced to the controller by the Northbound
2
�Performance of Botnet Detection by NN in SDNs I. Letteri, M. Del Rosso, P. Caianiello and D. Cassioli
APIs, that allows different applications to be developed on top of the control layer, including relevant
network functionalities such as network management, security, middlebox and so on.
The communications between the switches in the data plane and the controller are regulated by
the OpenFlow protocol, which provides the rules and the formats of messages (Southbound API). An
OpenFlow-compatible forwarding device in data plane consists of three parts: i) a flow table that stores
the action(s) to be applied to process the flow(s), one entry per each flow; ii) a secure channel for the
message exchange with the controller; iii) the OpenFlow protocol.
Figure 2: OpenFlow: Anatomy of a Flow Table Entry.
An entry in the flow table has five fields, as shown in Fig. 2: i) the match, with information about
the packet header that defines the flow; ii) the action, which defines how the packets should be handled;
iii) the counter, which keeps track of the amount of packets per flow; iv) the priority, which defines the
order to process the rule, convenient to get statistics efficiently; v) the time-out, where the idle timeout
and hard timeout control establishes the removal time of a flow entry from the OpenFlow table.
The components of the Botnet Detection technique proposed in this paper are shown in Fig. 1 and
reside in an application running on top of the SDN controller, which uses the Northbound RESTful
APIs to interact with the controller.
The Attack Prevention Module (APM) in Fig. 1 is responsible of creating an appropriate rule in the
field action of the Flow Table (see the Fig. 2) of the virtual switches whenever a flow is detected by the
Bot Detection Engine to be malicious and involved in a Botnet attack. Such rule blocks the infected host
that is identified by its mac address. The installation phase of the blocking rule for a flow considered
malicious proceeds in two steps: i) the mac-address of the infected host is recovered from the flow ID;
ii) the APM communicates to the controller, through the Northbound API, that the drop rule has to
be installed in the flow entry corresponding to the involved virtual switch in the detected malicious
traffic. The Bot Detection Engine uses a Machine Learning (ML) technique to classify the traffic. In
ML a system acquires knowledge through experience and is able to distinguish the specific patterns or
anomalies for which it has been trained. This one is specifically trained to detect the presence of one
or more components of a botnet in the network. The detection is typically based on the evaluation of
appropriate discriminators, referred to as features in the ML field, which are application-specific. In
the following, we describe the most common discriminators used for conventional data networks and
SDNs, which are the ones we used in our experiments.
2.2 Discriminators Filter
The discriminator filter extracts a set of relevant parameters, referred to as discriminators, that are
appropriately processed and given as input features to the ANN, core of the BotNet Detection Engine.
We selected a set of relevant features according to the definition of bidirectional flow within the use
of time windows [1, 7, 18, 16]. The selected features are listed in Table 1 for CN and in Table 2 for the
3
�Performance of Botnet Detection by NN in SDNs I. Letteri, M. Del Rosso, P. Caianiello and D. Cassioli
SDNs, where also the conventional features Data Rate R and Number of packets Np are employed
as common practice.
Feature Relevance
First packet size (Bytes) It reveals typical characteristics of network
protocol and refers to the entire flow
Number of small packets, i.e. with size lower Its use is widely known in P2P Botnet and
than 320 Bytes, in the time window in Bot – C&C server communications
Some Botnets try to keep the connection
Number of packets open by sending a large number of
packets in a specific time window
Average payload size, i.e. the Typically, in legitimate traffic flow
ratio between the size and the number this value is higher than the one
of payloads in the time window of the Botnet traffic flow
Data Rate, i.e. the ratio between the Typically, normal
number of bytes exchanged within the time traffic generates higher values
window and the time window size
Useful for finding DoS attacks or to detect
Variance of payloads size in the time window evasion techniques employed in
communication between Bots and C&C
consisting in sending fake packets
Bots are not managed by humans
Ratio between in-packets and out-packets and are programmed to respond to a
set of commands they receive.
Table 1: Selected discriminators as input to the ANN core of the BotNet Detection Engine for
conventional networks[1, 7, 16, 18].
Feature Description
Protocol Flow type at transport layer (UDP or TCP)
Bytes Sum Amount of flow bytes in the time window
P
Average packet size S pk = Spk /Npk , where Spk and Npk are the size
and the number of packets in the time window, respectively.
Average Packet Rate Rpk = Npk /STW , with STW the time window’s size
Average inter-arrival time τ i = STW /NTW ,
where NTW is the number of the time windows.
Table 2: Selected discriminators as input to the ANN core of the BotNet Detection Engine for
SDNs.
2.3 BotNet Detection with Multilayer Perceptrons
We approach the Botnet detection task as a supervised machine learning problem by using a Training
Set (TS) and a Test Set with features computed from real traffic data with known malicious/non
malicious label. As features are numerical, we thought it was appropriate to use a Multilayer Perceptron
(MLP), which is a classical and easily manageable ANN architecture, trainable with the error back-
propagation weight update rule [11]. Our aim is to identify a small MLP that, after training, can be
used as a real-time detection engine for Botnets.
4
�Performance of Botnet Detection by NN in SDNs I. Letteri, M. Del Rosso, P. Caianiello and D. Cassioli
In order to gain some insights about the complexity of the learning problem, we tried at first to
determine the minimum number of hidden neurons in a MLP with a single hidden layer that achieved
an acceptable error rate. This preliminary study is particularly important for the Botnet detection
task, as a large number of neurons in the MLP results in longer computation time that may negatively
affect the real-time performance of the desired detection engine. We found out that just 5 hidden
sigmoid neurons were sufficient to achieve an acceptable error with a small improvement by using a
higher number of hidden neurons. Consequently we tried to increase the number of hidden layers, just
to discover a small improvement in the performance of the Botnet detection.
Details about training and evaluating the MLPs are given in the following section 2.4.
Our Botnet detection engine is developed as an external software kbDetector that communicates
via Northbound-API with the OpenDayLight controller, in order to capture statistical information
about traffic with the OpenFlow protocol and turns it into input features to be given to the MLP. Our
strategy differs from the typical intrusion detection schemes designed for SDN running on the controller
[3] because we want to avoid the critical bottleneck challenges that occur during collection of a great
quantity of traffic from the switch. Our choice was dictated by the need to make it work with multiple
types of controllers. kbDetector is external to the controller, which it interfaces with via REST.
kbDetector interactions with the SDN controller can be sketched as follows :
1. the switch sends the OpenFlow packet ofp packet in to SDN controller;
2. the controller replies to the switch dictating to create a Flow Entry, and notifying, via WebSocket
to kbDetector, that a new flow has started;
3. when the hard-timeout expires, the switch sends a ofp flow removed OpenFlow message with the
statistics to the controller which then sends a notification via WebSocket to kbDetector that
contains the statistics and the stream id;
4. kbDetector calculates the features from incoming information and activates the trained MLP;
5. if the MLP classifies the flow as malicious, kbDetector retrieves the MAC address of the internal
hosts involved in the flow (starting from the flow rule id) and via REST messages add a block
rule of flow in order to isolate the infected host in the appropriate SDN network switches flow
entry.
Moreover we developed the application kbTool that manages host blocked by kbDetector.
kbTool communicates via REST API with the controller in order to share configuration files with
kbDetector.
We performed some experiments for some selected MLP architectures that are reported in Fig. 3
for both CNs and SDNs. All the MLP architectures were tested with different sizes of the time-
window. The main result we obtained is that an MLP trained over data concerning non-SDNs has a
very satisfactory performance also when tested for Botnet detection in SDNs. As expected, though,
the test error in SDNs is higher than that for non-SDNs that they were trained for. We can then note
that longer time windows bring about a better test error for most architectures, and that a four layers
MLP is good enough to achieve an error rate of less than about 0.05%.
2.4 Training the MLPs
For our experiments, we compute features based on portions of packet traffic until the layer 4 (ISO/OSI
stack), thus the flows have the same characteristics in SDNs and CNs, and are completely transparent
to an observer. The difference is in the specific set of discriminators used to train the ANN in the two
cases of CNs and SDNs, as explained in Sec. 2.2.
The MLPs in the experimentation were trained over a TS obtained by joining public datasets that
are commonly used in the literature for Botnet malicious traffic identification. The first is the CTU-13
dataset [4], it was created in the Czech Republic at CTU University, and consists of 13 scenarios that
come from different categories of Botnets. Each scenario contains the traffic of a particular Botnet
using different protocols and performing several actions. Then we use the ISOT dataset [12] by taking
out a small percentage of malicious traffic (about 1% of the total) for positive examples, while negative
5
�Performance of Botnet Detection by NN in SDNs I. Letteri, M. Del Rosso, P. Caianiello and D. Cassioli
Figure 3: Training Errors for different time windows and multiple NN architectures for CNs
and SDNs.
Figure 4: Training Set and Test Set compositions in CNs and SDNs.
examples (non-malicious traffic) were obtained by merging two different datasets from the Traffic Lab
6
�Performance of Botnet Detection by NN in SDNs I. Letteri, M. Del Rosso, P. Caianiello and D. Cassioli
at Ericsson Research in Hungary [14], and from the Lawrence Berkeley National Lab (LBNL) 2 . The
dataset that we obtain contains a large number of traffic flows collected from a variety of applications
like web browsing, p2p, and online games during the period from 2001 to 2012 and all this traffic is
structured in the pcap(packet capture) format that has become the common playground for network
capture files in the open source world.
Due to the large size of these two datasets, we considered appropriate a subdivision into small pcap
files performed via the opensource tool SplitCap 3 in order to create a division of flows.
The ISOT dataset dimension is 9.9 GB and contains 914812 different flows.
Different training sets and test sets of discriminators are created by applying the software pcap2ml
we developed on purpose and using the following time windows: 10, 30, 60, 120, 180, 240, and 300
seconds. This choice allows a quick comparison with other studies [1] [7] [18]. For each time window,
70% of the files were used for the creation of the training set and the remaining 30% for the test set.
New scenarios from the Stratosphere IPS 4 were added to the test set. The training and test files
have been splintered by duplicates. Their composition is shown in Fig. 4.
MLPs training was stopped either when the error was considered acceptable (0%) or when a max-
imun number of 1500 training epochs was reached. The synaptic plasticity of the hidden sigmoid
neurons was fixed to 0.3 and the momentum term to 0.1.
Figure 5: Confusion Matrix metrics in CNs and SDNs for the selected ANN architecture.
2.5 Performance Metrics
Performance of the trained MLPs is measured by means of the confusion matrix with its four quad-
rants that represent true positive TP, false positives FP, true negatives TN and false negatives FN,
where obviously the actual positives result in total P = TP+FN and the negatives N = TN+FP. The
confusion matrix metrics resulting from our experiments are presented in Fig. 5 for the selected ANN’s
architecture (7 − 11 − 5 − 1)5 . The performance metrics for a supervised NN are computed from the
four quadrants of the confusion matrix: the model accuracy is defined as A=(TP+TN)/(P+N), its
precision as S=TP/(TP+FP), and the recall as Re=TP/P=TP/(TP+FN). The values of these perfor-
mance metrics obtained in our tests are shown vs. the time window’s duration in Fig. 6 for both CNs
and SDNs with protocol OpenFlow 1.3, for the selected ANN architecture.
2 Enterprise Tracing Project: www.icir.org/enterprise-tracing/
3 Splitcap: www.netresec.com/?page= SplitCap
4 https://stratosphereips.org/category/dataset.html project
5 We made experiments for all architectures and obtained almost identical confusion matrices. Since we
selected the architecture 7-11-5-1 as the one that gives the minimum errors (Ref. to Fig. 3), to simplify the
Fig. 5 we reported only the confusion matrix associated with this architecture.
7
�Performance of Botnet Detection by NN in SDNs I. Letteri, M. Del Rosso, P. Caianiello and D. Cassioli
Figure 6: Comparison of the performance metrics in CNs (left plot) and SDNs (right plot) for
the 7 − 11 − 5 − 1 selected ANN architecture.
We may notice that, as a general trend, the precision appears independent from the duration of the
time window in both cases of CNs and SDNs, showing a very slight decrease for larger time window.
The accuracy and the recall, instead, grow with the increasing time window in all cases. Furthermore,
comparing the two types of networks, the accuracy and the recall are higher in CNs than in SDNs.
3 Test case study: Mirai Botnet Traffic
The experience of the last October, when Mirai Botnet DDoSed 17 Dyn Data Centers (DCs), repre-
sents a case study from which we have to learn. Today DC networks manage high volumes of dynamic
traffic and there is no doubt that the most dangerous threat for the performance of a DC is represented
by a DDoS attack. Hence, as a test case for our experiments we consider a DC network. The spread
of the malware on Internet has been strongly boosted by the online availability of the code for Mirai,
which was posted by a hacker known as Anna-Senpai 6 , then many cyber criminals started using the
tool to assemble their own botnet armies. We simulate the same event in a SDN environment, by
implementing a typical Fat-tree topology to create a Software-Defined Data Center (SDDC) with 4
pods within the Mininet framework [6]. In the simulator we have infected with the Mirai malware six
hosts in pods #1, #2 and #3, as shown in Fig. 7, by listening on TCP ports 23 and 2323, in order to
simulate vulnerable IoT webcams. One of the infected hosts plays the role of the Mirai C&C server
with a MySQL DBMS support, for scan receiver function used by Mirai. The victim host is located in
pod#0, and undergoes two different DoS attacks: SYN Flood and UDP Flood as shown in Fig. 7.
num. of packets Average of Bytes num. of Bytes Arrival rate Byte/time
57 68.473 3903.0 0.0316 21.68
33 68.363 2256.0 0.183 12.53
9 67.333 606.0 0.05 3.366
Table 3: Traffic between C&C and Bot in Mirai botnet
Our experimentation relies on the evaluation of the traffic flows in the network in order to
generate the set of relevant features to be given in input to the ANN for the Botnet detection and
evaluate the performance of our approach in terms of confusion matrix metrics accuracy, recall
6 https://github.com/jgamblin/Mirai-Source-Code
8
�Performance of Botnet Detection by NN in SDNs I. Letteri, M. Del Rosso, P. Caianiello and D. Cassioli
Figure 7: Diagram of the test case: the Mirai bots attack on the SDDC Fat-Tree topology.
and precision for Mirai detection. A sample of traffic between C&C and bots detected in a time
window of 180 seconds is shown in Table 3. In particular, the packet set (in both directions)
is represented by a quintuple consisting of source address, destination address, source port,
destination port, and protocol at the transport level. We analyse the efficiency of the trained
ANN as a Botnet detection tool by simulating UDP flood attacks by bots replicated from the
Mirai malware. We obtained the best performance in the attack detection for time windows
of large duration, as expected, and for time windows of 240 or 300 seconds the performance
is roughly the same. In practical implementations, the only possible time window with the
current version 1.3 of OpenFlow protocol is 300 seconds. However, a real-time system for
botnet detection would benefit significantly from the use of time-window sizes of few seconds,
especially if measures, like, e.g., isolation from the rest of the network, should be taken. The
main reason is that the current protocol is not provided with a method for extracting flow
statistics at arbitrary time intervals, and the only way is by removing a flow entry from the
switch. Furthermore, in a high traffic environment, such as DCs, that manage a large number
of streams, it is mandatory to reduce the number of rule removals per second. So, there is no
choice but setting the time window at the highest possible duration.
4 Conclusion
In this paper we have shown that the statistical analysis and classification by a supervised
neural network is an effective method for detecting the malicious traffic produced from bots
during the attacks, for individuating the communication flow between bots and C&C and for
preventing the attacks. In addition, we have shown that it is possible to block the attacks
at the source, not simply a mitigation strategy. During the testing phase we noticed, like a
serendipity, that DDoS attacks were automatically recognized by our neural network despite
the work is explicitly focused on Botnet detection and not on the effects of their application. In
particular, the use of neural networks has been as effective as other Machine Learning methods
with 99% accuracy. The use of the OpenFlow protocol version 1.3 imposes some limits, like
e.g., the impossibility of performing real-time detection, due to the constrained time window
duration. It is expected that the OpenFLow 1.5.1 protocol, which is not implemented yet in
ODL and in some switches open-source, will allow a more flexible customisation of the type of
statistics that can be extracted from a stream. Future refinements of the proposed work include
the analysis of performance of the detection application by implementing the kbDetector with
Big-Data techniques and the implementation of a malicious traffic generator to improve the
9
�Performance of Botnet Detection by NN in SDNs I. Letteri, M. Del Rosso, P. Caianiello and D. Cassioli
neural network training.
References
[1] Elaheh Biglar Beigi, Hossein Hadian Jazi, Natalia Stakhanova, and Ali A Ghorbani. Towards effec-
tive feature selection in machine learning-based botnet detection approaches. In Communications
and Network Security (CNS), 2014 IEEE Conference on, pages 247–255. IEEE, 2014.
[2] Xiao-Fan Chen and Shun-Zheng Yu. Cipa: A collaborative intrusion prevention architecture for
programmable network and sdn. Computers & Security, 58:1–19, 2016.
[3] Mohan Dhawan, Rishabh Poddar, Kshiteej Mahajan, and Vijay Mann. Sphinx: Detecting security
attacks in software-defined networks. In NDSS, 2015.
[4] Sebastian Garcia, Martin Grill, Jan Stiborek, and Alejandro Zunino. An empirical comparison of
botnet detection methods. computers & security, 45:100–123, 2014.
[5] Damian Jankowski and Marek Amanowicz. Intrusion detection in software defined networks with
self-organized maps. Journal of Telecommunications and Information Technology, 2015.
[6] Eric Jo, Deng Pan, Jason Liu, and Linda Butler. A simulation and emulation study of sdn-based
multipath routing for fat-tree data center networks. In Proceedings of the 2014 Winter Simulation
Conference, Piscataway, NJ, USA, 2014. IEEE Press.
[7] G Kirubavathi and R Anitha. Botnet detection via mining of traffic flow characteristics. Computers
& Electrical Engineering, 50:91–101, 2016.
[8] A. Le, P. Dinh, H. Le, and N. C. Tran. Flexible network-based intrusion detection and prevention
system on software-defined networks. In 2015 International Conference on Advanced Computing
and Applications (ACOMP), pages 106–111, Nov 2015.
[9] Andrew Moore, Denis Zuev, and Michael Crogan. Discriminators for use in flow-based classifica-
tion. Technical report, 2013.
[10] R. A Rodrı́guez-Gómez, G. Maciá-Fernández, and P. Garcı́a-Teodoro. Survey and taxonomy of
botnet research through life-cycle. ACM Computing Surveys (CSUR), 45(4):45, 2013.
[11] David E Rumelhart, Geoffrey E Hinton, Ronald J Williams, et al. Learning representations by
back-propagating errors. Cognitive modeling, 5(3):1, 1988.
[12] S. Saad et al. Detecting p2p botnets through network behavior analysis and machine learning.
In Privacy, Security and Trust (PST), 2011 Ninth Annual International Conference on, pages
174–180. IEEE, 2011.
[13] Lisa Schehlmann and Harald Baier. Coffee: a concept based on openflow to filter and erase events
of botnet activity at high-speed nodes. In GI-Jahrestagung, pages 2225–2239, 2013.
[14] Géza Szabó, Dániel Orincsay, Szabolcs Malomsoky, and István Szabó. On the validation of traffic
classification algorithms. Passive and active network measurement, pages 72–81, 2008.
[15] F. Tariq and S. Baig. Botnet classification using centralized collection of network flow counters in
software defined networks. International Journal of Computer Science and Information Security,
14(8):1075, 2016.
[16] Florian Tegeler, Xiaoming Fu, Giovanni Vigna, and Christopher Kruegel. Botfinder: Finding
bots in network traffic without deep packet inspection. In Proceedings of the 8th international
conference on Emerging networking experiments and technologies, pages 349–360. ACM, 2012.
[17] Wen Wang, Wenbo He, and Jinshu Su. Network intrusion detection and prevention middlebox
management in sdn. In Computing and Communications Conference (IPCCC), 2015 IEEE 34th
International Performance, pages 1–8. IEEE, 2015.
[18] David Zhao et al. Botnet detection based on traffic behavior analysis and flow intervals. Computers
& Security, 39:2–16, 2013.
10
�