IL
Uploaded byIvan Letteri
PPTX, PDF211 views

Botnet detection in SDN by DL techniques

The document discusses the use of deep learning techniques for botnet detection in software-defined networks (SDN), highlighting the challenges posed by various botnet architectures. It describes the implementation of a multi-layer perceptron neural network using specific datasets and tuning parameters to achieve a prediction accuracy of 97%. Future work includes developing a new unbiased dataset and conducting deeper traffic analysis using the proposed SDN framework.

Embed presentation

Download to read offline
Botnet Detection in Software Defined Networks by Deep Learning Techniques Authors: Ivan Letteri Giuseppe Della Penna Giovanni De Gasperis University of L’Aquila
Road Map
● Components ○ Botmaster ○ Bots ○ Command & Control ● Architecture ○ Client-Server ○ Peer 2 Peer ○ Hybrid - Botnet: consist of a internet-connected devices (bots), controlled by an attacker called botmaster that manage by Command & Control, difficult to detect and eradicate due to the - Architecture: determine the size & distribution of botnet and could be Client-Server, P2P, or a hybrid of both in order to be more resilient and avoid detection Botnet and Cyber Crime
Software Defined Networking ● Architecture ○ Application plane ○ Control plane ○ Data plane ● Open Flow protocol ○ msgs ○ OF tables ● Application plane ○ Routing for traffic monitoring ○ botnet behavioral analysis - SDN: is an emerging network approach where the intelligence is in a single component. The forwarding process separate Data Plane from the routing (Control plane), through messages via OpenFlow protocol to the flow tables - Idea: traffic monitoring for malware behavior analysis in order to detect botnet attacks
State of the Art ● Tang et al. ○ NSL-KDD ○ Self Taught Learning ○ 6 SDN features - Tang et al.: propose a deep learning IDS in SDN using STL and NSL-KDD dataset, - 6 SDN features: duration, protocol type, source& destin. bytes, count and service count - Kalavini et al.: compare ML models like SVM, Naive Bayes, Dec.Trees and NN using CTU13 dataset - Wang W. et al.: encode traffic in images for train a CNN with customized dataset USTC-TFC2016 ● Kalavaini et al. ○ CTU 13 ○ SVN, NB, NN and Decision Trees ● Wang W. et al. ○ Convolutional NN ○ USTC-TFC2016
The Dataset ● HogZilla Dataset ○ CTU 13 ○ ISCX-IDS ○ 990k samples ○ 192 features - HogZilla Dataset: public dataset by merging CTU13 and ISCX IDS preprocessed & classified - Fair dataset: composed by 50% of bots traffic (180K samples) and 50% of normal traffic (180K samples) - Feats. Selection: All statistical features from the Controller via OF, 8 direct extracted, the rest calculated ● Fair dataset ○ 50% bot traffic ○ 50% normal traffic ● Features Selection ○ 22 SDN features ■ 8 direct ■ 14 calculated
The Neural Network (MLP) ● Network implementation ○ Ternsorflow ○ Keras ○ SciKitLearn ● Multi Layer Perceptron ○ 22 input neurons ○ 7 hidden layer (diamond shape) ○ Softmax activation with 2 output neurons ● Dropout (dropp the output) ○ random cutting of 3% of links - Keras + TF + SciKitlearn: Keras communicate with TensorFlow API, SKlearn library for data manipulation - Architecture: IN layer with 22 neurons, 7 hid. layer (44, 88, 176, 88, 44, 22, 11) and 2 neurons in OUT layer - Avoid overfitting via Dropout: All layers are fully connected only 70% randomly linked every epoch
Experimentation ● Split in 5 Train&Test Sets ○ Fair dataset ○ Shuffling ○ Partitioning ■ 50%-30%-20% ■ 50&20% Train &Test set ■ 30% prediction ● Best result achieved ○ 5th dataset ○ 96,52 % of accuracy - Splitting: 50% & 20% for train and test set, 30% for empirical prediction - Split in 5 sets: “similar” to a 5-cross folder validation used during the testing - Shuffling and Partitioning: reducing variance and making sure the model remain general - 5th subset for Training: the best result with the 96,52% of accuracy
Fine-tuning hyper parameters ● Learning Rate ○ Step size descend ○ Increase/Decrease ■ Accuracy ● Batch Size ○ 100 samples is the best size ● Epochs ○ 25 times is the optimal compromise ● Optimizer ○ Adam is the best in this experiment - 0.001 of Learning Rate: is the optimal size of the updates applied to the network weight, especially prediction - Batch Size: short size requires less memory and train fast but it is less accurate to estimate the gradient - 25 Epochs: train significantly fast to get a good accuracy/performance compromise with prediction 96,96% - Adam Optimizer: is clearly not the best optimizer for some tasks but in this case is the best
Conclusions ● Summary ○ New, big & realistic dataset ○ Derived SDN-specific features ○ MLP with 7 hidden layers ○ Intense fine-tuned parameters ○ result in 97% prediction accuracy on unknown traffic - Future Work: an our “unbiased” new dataset SDN driven from accurate Data Analysis (scatter matrix, feature Importance, Clustering, etc...) - An in-depth traffic analysis with our SDN framework (SDNsecKit)

More Related Content

PDF
Feature Selection Strategies for HTTP Botnet Traffic Detection
byIvan Letteri
 
PDF
Streaming Analytics and Internet of Things - Geesara Prathap
byWithTheBest
 
DOCX
Detecting_and_Mitigating_Botnet_Attacks_in_Software-Defined_Networks_Using_De...
byShakas Technologies
 
PDF
Architecting a machine learning pipeline for online traffic classification in...
byIAESIJAI
 
PPTX
Final_CNN-BiLSTM_NIDS_Presentation_Custom.pptx
bypoornachandu180303
 
PPTX
An Intelligent Intrusion Detection System for Smart Consumer Electronics Netw...
bylakmalamanish5
 
PDF
Empowering SDN with DDoS attack detection: leveraging hybrid machine learning...
byIAESIJAI
 
PDF
Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...
byIJCSIS Research Publications
 
Feature Selection Strategies for HTTP Botnet Traffic Detection
byIvan Letteri
 
Streaming Analytics and Internet of Things - Geesara Prathap
byWithTheBest
 
Detecting_and_Mitigating_Botnet_Attacks_in_Software-Defined_Networks_Using_De...
byShakas Technologies
 
Architecting a machine learning pipeline for online traffic classification in...
byIAESIJAI
 
Final_CNN-BiLSTM_NIDS_Presentation_Custom.pptx
bypoornachandu180303
 
An Intelligent Intrusion Detection System for Smart Consumer Electronics Netw...
bylakmalamanish5
 
Empowering SDN with DDoS attack detection: leveraging hybrid machine learning...
byIAESIJAI
 
Botnet Detection and Prevention in Software Defined Networks (SDN) using DNS ...
byIJCSIS Research Publications
 

Similar to Botnet detection in SDN by DL techniques

PPTX
mini project sildes updated.pptx-b9[uoipuj
bypoornachandu180303
 
PDF
IRJET - Network Traffic Monitoring and Botnet Detection using K-ANN Algorithm
byIRJET Journal
 
PDF
An ensemble-based approach for effective distributed denial of service attack...
byIAESIJAI
 
PDF
Deep Convolutional Neural Network based Intrusion Detection System
bySri Ram
 
PPTX
Enhancing IoT network security through deep learning-powered.pptx
byshadowshasha
 
PDF
Hybrid software defined network-based deep learning framework for enhancing i...
byIAESIJAI
 
PPTX
Real time ddos attack , detection and prevention
byKusalXIIBanipur
 
PDF
Web Traffic Time Series Forecasting
byBillTubbs
 
PDF
Classification of Software Defined Network Traffic to provide Quality of Service
byIRJET Journal
 
PDF
Approximation of regression-based fault minimization for network traffic
byTELKOMNIKA JOURNAL
 
PDF
Deep Learning, Microsoft Cognitive Toolkit (CNTK) and Azure Machine Learning ...
byNaoki (Neo) SATO
 
PDF
Literature Review on DDOS Attacks Detection Using SVM algorithm.
byIRJET Journal
 
PPT
Botnet detection using Wgans for security
byssuser3f5a831
 
PDF
Federated deep learning intrusion detection system on software defined-networ...
byIAESIJAI
 
PDF
Kaggle Lyft Motion Prediction for Autonomous Vehicles 4th Place Solution
byPreferred Networks
 
PDF
An Efficient Hybrid-DNN for DDoS Detection and Classification in Software-Def...
byOKOKPROJECTS
 
PPTX
BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...
byJosephTesta9
 
PDF
Learning-based Orchestrator for Intelligent Software-defined Networking Contr...
byijseajournal
 
PDF
LEARNING-BASED ORCHESTRATOR FOR INTELLIGENT SOFTWARE-DEFINED NETWORKING CONTR...
byijseajournal
 
PDF
A_Survey_on_Machine_Learning_Techniques_for_Routin.pdf
byNagamaniV4
 
mini project sildes updated.pptx-b9[uoipuj
bypoornachandu180303
 
IRJET - Network Traffic Monitoring and Botnet Detection using K-ANN Algorithm
byIRJET Journal
 
An ensemble-based approach for effective distributed denial of service attack...
byIAESIJAI
 
Deep Convolutional Neural Network based Intrusion Detection System
bySri Ram
 
Enhancing IoT network security through deep learning-powered.pptx
byshadowshasha
 
Hybrid software defined network-based deep learning framework for enhancing i...
byIAESIJAI
 
Real time ddos attack , detection and prevention
byKusalXIIBanipur
 
Web Traffic Time Series Forecasting
byBillTubbs
 
Classification of Software Defined Network Traffic to provide Quality of Service
byIRJET Journal
 
Approximation of regression-based fault minimization for network traffic
byTELKOMNIKA JOURNAL
 
Deep Learning, Microsoft Cognitive Toolkit (CNTK) and Azure Machine Learning ...
byNaoki (Neo) SATO
 
Literature Review on DDOS Attacks Detection Using SVM algorithm.
byIRJET Journal
 
Botnet detection using Wgans for security
byssuser3f5a831
 
Federated deep learning intrusion detection system on software defined-networ...
byIAESIJAI
 
Kaggle Lyft Motion Prediction for Autonomous Vehicles 4th Place Solution
byPreferred Networks
 
An Efficient Hybrid-DNN for DDoS Detection and Classification in Software-Def...
byOKOKPROJECTS
 
BSides Rochester 2018: Jonathan Myers: IoT Malware Detection with Machine Lea...
byJosephTesta9
 
Learning-based Orchestrator for Intelligent Software-defined Networking Contr...
byijseajournal
 
LEARNING-BASED ORCHESTRATOR FOR INTELLIGENT SOFTWARE-DEFINED NETWORKING CONTR...
byijseajournal
 
A_Survey_on_Machine_Learning_Techniques_for_Routin.pdf
byNagamaniV4
 

Recently uploaded

PDF
Introduction to Human Computer Interaction .pdf
byakankshanagdeve3
 
PPTX
Experimental flow visualization techniques ( PIV, LDA.pptx
bySuvojitPaul5
 
PPTX
22PEOIT4C Session 16 Backtracking CSP.pptx
byGuru Nanak Technical Institutions
 
PDF
Layer 1 Blockchain Ecosystem — Executive Brief (Jan 2026)
byGarima Singh
 
PPTX
22PEOIT4C Session 10 Adversarial Search.pptx
byGuru Nanak Technical Institutions
 
PPTX
PQ CHP-1 brief introduction to power quality
bySureshEtukuriE1
 
PPTX
Semiconductor diodes ppt and also characteristics
bynivishnasece
 
PPTX
TR334_Foundation_Engineering_I_Slope stability _i.pptx
byalexander402774
 
PDF
RESULTADOS_SIMULACRO_PRECOAR_SB_14_12.pdf
bychiricatora
 
PPT
Solidification and Phase Diagram_Alber07.ppt
byMohamedKareemElAdham
 
PDF
Prospective TIA Challenges and Enhancements
byM Maged Hegazy, LLM, MBA, CCP, P3O
 
PPTX
presentation-tenable-corporate-deck-ppt-version-english (1).pptx
bykrodriguez55
 
PDF
Production Planning and Control - Assembly Line Balancing-8.12.25.pdf
byminaergec2004
 
PPTX
22PEOIT4C Session 17 Horn clause Proportional Clause.pptx
byGuru Nanak Technical Institutions
 
PPT
Steam generation , types of steam, boilers and their classifications, mountin...
byPrashantPatunkar1
 
PPT
Lecture Note on Forming processes for MME 213 2025-2026 Academic session.ppt...
byOcheriCyril2
 
PDF
DDS over TSN: configuring TSN to meet DDS-level QoSes
byRealTime-at-Work (RTaW)
 
PDF
BO049FHDMO 0.49 Inch Micro OLED Datasheet
bySyluxdisplay
 
PDF
Image Compression using Machine Learning: A Hybrid DCT-Autoencoder Approach
byShahid Beheshti University,
 
PPT
introduction to supply chain management.ppt
byrutujawawre
 
Introduction to Human Computer Interaction .pdf
byakankshanagdeve3
 
Experimental flow visualization techniques ( PIV, LDA.pptx
bySuvojitPaul5
 
22PEOIT4C Session 16 Backtracking CSP.pptx
byGuru Nanak Technical Institutions
 
Layer 1 Blockchain Ecosystem — Executive Brief (Jan 2026)
byGarima Singh
 
22PEOIT4C Session 10 Adversarial Search.pptx
byGuru Nanak Technical Institutions
 
PQ CHP-1 brief introduction to power quality
bySureshEtukuriE1
 
Semiconductor diodes ppt and also characteristics
bynivishnasece
 
TR334_Foundation_Engineering_I_Slope stability _i.pptx
byalexander402774
 
RESULTADOS_SIMULACRO_PRECOAR_SB_14_12.pdf
bychiricatora
 
Solidification and Phase Diagram_Alber07.ppt
byMohamedKareemElAdham
 
Prospective TIA Challenges and Enhancements
byM Maged Hegazy, LLM, MBA, CCP, P3O
 
presentation-tenable-corporate-deck-ppt-version-english (1).pptx
bykrodriguez55
 
Production Planning and Control - Assembly Line Balancing-8.12.25.pdf
byminaergec2004
 
22PEOIT4C Session 17 Horn clause Proportional Clause.pptx
byGuru Nanak Technical Institutions
 
Steam generation , types of steam, boilers and their classifications, mountin...
byPrashantPatunkar1
 
Lecture Note on Forming processes for MME 213 2025-2026 Academic session.ppt...
byOcheriCyril2
 
DDS over TSN: configuring TSN to meet DDS-level QoSes
byRealTime-at-Work (RTaW)
 
BO049FHDMO 0.49 Inch Micro OLED Datasheet
bySyluxdisplay
 
Image Compression using Machine Learning: A Hybrid DCT-Autoencoder Approach
byShahid Beheshti University,
 
introduction to supply chain management.ppt
byrutujawawre
 

Botnet detection in SDN by DL techniques

  • 1.
    Botnet Detection inSoftware Defined Networks by Deep Learning Techniques Authors: Ivan Letteri Giuseppe Della Penna Giovanni De Gasperis University of L’Aquila
  • 2.
  • 3.
    ● Components ○ Botmaster ○Bots ○ Command & Control ● Architecture ○ Client-Server ○ Peer 2 Peer ○ Hybrid - Botnet: consist of a internet-connected devices (bots), controlled by an attacker called botmaster that manage by Command & Control, difficult to detect and eradicate due to the - Architecture: determine the size & distribution of botnet and could be Client-Server, P2P, or a hybrid of both in order to be more resilient and avoid detection Botnet and Cyber Crime
  • 4.
    Software Defined Networking ●Architecture ○ Application plane ○ Control plane ○ Data plane ● Open Flow protocol ○ msgs ○ OF tables ● Application plane ○ Routing for traffic monitoring ○ botnet behavioral analysis - SDN: is an emerging network approach where the intelligence is in a single component. The forwarding process separate Data Plane from the routing (Control plane), through messages via OpenFlow protocol to the flow tables - Idea: traffic monitoring for malware behavior analysis in order to detect botnet attacks
  • 5.
    State of theArt ● Tang et al. ○ NSL-KDD ○ Self Taught Learning ○ 6 SDN features - Tang et al.: propose a deep learning IDS in SDN using STL and NSL-KDD dataset, - 6 SDN features: duration, protocol type, source& destin. bytes, count and service count - Kalavini et al.: compare ML models like SVM, Naive Bayes, Dec.Trees and NN using CTU13 dataset - Wang W. et al.: encode traffic in images for train a CNN with customized dataset USTC-TFC2016 ● Kalavaini et al. ○ CTU 13 ○ SVN, NB, NN and Decision Trees ● Wang W. et al. ○ Convolutional NN ○ USTC-TFC2016
  • 6.
    The Dataset ● HogZillaDataset ○ CTU 13 ○ ISCX-IDS ○ 990k samples ○ 192 features - HogZilla Dataset: public dataset by merging CTU13 and ISCX IDS preprocessed & classified - Fair dataset: composed by 50% of bots traffic (180K samples) and 50% of normal traffic (180K samples) - Feats. Selection: All statistical features from the Controller via OF, 8 direct extracted, the rest calculated ● Fair dataset ○ 50% bot traffic ○ 50% normal traffic ● Features Selection ○ 22 SDN features ■ 8 direct ■ 14 calculated
  • 7.
    The Neural Network(MLP) ● Network implementation ○ Ternsorflow ○ Keras ○ SciKitLearn ● Multi Layer Perceptron ○ 22 input neurons ○ 7 hidden layer (diamond shape) ○ Softmax activation with 2 output neurons ● Dropout (dropp the output) ○ random cutting of 3% of links - Keras + TF + SciKitlearn: Keras communicate with TensorFlow API, SKlearn library for data manipulation - Architecture: IN layer with 22 neurons, 7 hid. layer (44, 88, 176, 88, 44, 22, 11) and 2 neurons in OUT layer - Avoid overfitting via Dropout: All layers are fully connected only 70% randomly linked every epoch
  • 8.
    Experimentation ● Split in5 Train&Test Sets ○ Fair dataset ○ Shuffling ○ Partitioning ■ 50%-30%-20% ■ 50&20% Train &Test set ■ 30% prediction ● Best result achieved ○ 5th dataset ○ 96,52 % of accuracy - Splitting: 50% & 20% for train and test set, 30% for empirical prediction - Split in 5 sets: “similar” to a 5-cross folder validation used during the testing - Shuffling and Partitioning: reducing variance and making sure the model remain general - 5th subset for Training: the best result with the 96,52% of accuracy
  • 9.
    Fine-tuning hyper parameters ●Learning Rate ○ Step size descend ○ Increase/Decrease ■ Accuracy ● Batch Size ○ 100 samples is the best size ● Epochs ○ 25 times is the optimal compromise ● Optimizer ○ Adam is the best in this experiment - 0.001 of Learning Rate: is the optimal size of the updates applied to the network weight, especially prediction - Batch Size: short size requires less memory and train fast but it is less accurate to estimate the gradient - 25 Epochs: train significantly fast to get a good accuracy/performance compromise with prediction 96,96% - Adam Optimizer: is clearly not the best optimizer for some tasks but in this case is the best
  • 10.
    Conclusions ● Summary ○ New,big & realistic dataset ○ Derived SDN-specific features ○ MLP with 7 hidden layers ○ Intense fine-tuned parameters ○ result in 97% prediction accuracy on unknown traffic - Future Work: an our “unbiased” new dataset SDN driven from accurate Data Analysis (scatter matrix, feature Importance, Clustering, etc...) - An in-depth traffic analysis with our SDN framework (SDNsecKit)

Editor's Notes

  • #3 Introduction to Botnets, the most used cyber criminal “tool”, and an introduction to SDN, software defined networking the new networking paradigm the Dataset... the collection of data used, and why we used a particular dataset the Neural network, more precisely the Deep Learning model that we have realized the Experiment conduct on hyper parameters
  • #4 A botnet consists of a number of internet-connected devices, each of which runs one or more bots. You can consider a Botnet like a system compromised by some kind of malware, malware controlled by an attacker, an attacker called botmaster @Botnets can be very difficult to detect and eradicate, difficult because the large size and distribution too. For example due to their architectures, that could be Client Server, P2P, or hybrid that is a mix of both, in order to be more resilient and avoid detection.
  • #5 An SDN is an emerging networking approach, that enables an easy and efficient (re)configuration function, in order to improve network performance and so on. The SDN centralizes the network intelligence, in a single component, called Controller. The Controller communicates with elements on the data plane (for example, switches or routers) through the OpenFlow protocol, for the routing. @For our research, we've been focused on the Application Plane, and the central idea is to realize an application for the traffic monitoring, in an SDN, for malware behavioral analysis, that can be done in order to detect botnet attacks.
  • #6 Tang et al. propose a deep learning based approach, for a general network intrusion detection in SDN using self-taught learning (STL) and a different dataset to our, the NSL-KDD dataset. And through six SDN features: duration, protocol type, source bytes, destination bytes, count, and service count they trained a NN. @Kalavaini et al. compare several different machine learning algorithms, such as SVM, naive bayes, decision trees and among those the neural networks, all these models in the context of network traffic classification. They exploit the CTU-13 dataset, surprisingly, they conclude that neural networks are the worst classifiers in this context. @Wang W. et al., encode traffic data as images, and then exploit a convolutional neural network for traffic classification, reach an accuracy rate of roughly 99% using a customized dataset USTC-TFC2016.
  • #7 Nowadays, the behavioural analysis is often supported by machine learning techniques, … and the core in Machine Learning, especially in supervised learning, is the employed dataset. After a lot of evaluations, we chosen the HogZilla dataset, because combines selected parts of the well-known CTU-13 dataset, @and good normal traffic that came from ISCX IDS datasets. Our work has been, to refine the Hogzilla dataset by extracting from it a @fair dataset, i.e., a balanced dataset containing exactly the same number (180, 000) of normal and botnet samples, the original dataset has 1 billion of samples unbalance of Normal traffic. @our dataset has only 22 features instead of 192 from the original one, more precisely 22 SDN features extractable via SDN. @how we selected 22 features: 8 features, from the HogZilla dataset, can be directly obtained via REST calls, REST is an architecture. These calls to the SDN controller, more precisely, from the flow and port statistics by OpenFlow protocol, and the other 14 features calculated from the previous eight.
  • #8 Neural networks have been widely used in classification tasks, because Bots are continuously evolving and thus, their behaviour quickly changes. To run our neural network we used TensorFlow, interacting with Keras library, and the other important library SciKitLearn, for data manipulation phase. We have done all the experiments in a local machine with Ubuntu server. In our experiment, we used a Multi Layer Perceptron with 22 neurons in input layer, 7 hidden layers distributed in order to form a diamond shape. And 2 output layers with softmax activation function, where 01 is normal traffic and 10 is bots traffic, with our fine-tuning hyper parameters we reduce/eliminate uncertainty values 00 and 11 . @All the layers are fully connected but unliked randomly via Dropout set to 30% in order to avoid overfitting.
  • #9 To test our approach, from the fair dataset, @at the beginning we extract 5 different train and test sets. we shuffled the dataset with the purpose of reducing variance and making sure that models remain general and overfit less, then we partitioned it in 50%-30%-20% parts. The first and last parts will be used for training and testing, whereas the remaining 30% is discarded and used later for a manual validation with our algorithm, in the prediction phase. @ as you can see in the table, the 5th dataset obtain the best result with the 96,52% of accuracy, so it is the best candidate
  • #10 One of the principal activity of this work: an Intense Fine-Tuning of Hyper Parameters, starting from:The learning rate parameter, which controls the size of the updates applied to the network weights. @in a perspective of performance, choosing the best Batch Size is important, we realize that group 100 samples is the best strategy. Because it is short enough to train fast and accurate enough to the estimate of the gradient. @Furthermore, we tried to change the number of epochs, only 25 epochs and we get the higher prediction accuracy (96,96%). The training is significantly faster. A good accuracy/performance compromise @The Optimizer: Adam is clearly not the best optimizer but seems the best in this particular experiment.
  • #11 The conclusion: in this paper, we performed botnet detection experiments on a new dataset, containing a very large amount of normal and botnet traffic samples, from which we extracted a set of botnet-specific meaningful features that can be actually derived in a SDN environment. @Our future work on this field will include a more in-depth analysis of the SDN traffic features, to further reduce the amount of data needed to reach the current accuracy levels.