Botnets pose a significant cyber threat, causing billions of dollars in losses annually. Manual analysis of the massive network traffic generated is infeasible, necessitating the development of efficient, real-time automated detection systems. Existing methods often compromise speed for accuracy, particularly in high-bandwidth environments. This research addresses this challenge by proposing a novel approach that prioritizes speed without sacrificing detection accuracy. The core idea is to leverage machine learning to classify network traffic within one-second time windows, enabling near-instantaneous detection. This is a crucial improvement over existing methods that often require much longer time windows (e.g., 180 seconds) for analysis, thereby reducing the timeliness of botnet detection and response. The rapid and efficient processing of network data is critical for organizations to swiftly identify and mitigate botnet threats, minimizing damage and financial losses. The paper will demonstrate the effectiveness of the proposed approach by comparing its performance against existing solutions, specifically focusing on the trade-off between speed and accuracy.

Existing botnet detection techniques range from signature-based methods that identify known patterns in traffic payloads to machine learning approaches that leverage behavioral characteristics of botnet traffic. Signature-based methods are vulnerable to obfuscation techniques, while machine learning models, though highly effective, often lack the speed required for real-time detection in high-bandwidth networks. Previous studies on Software Defined Networks (SDNs) have explored hardware requirements for botnet detection, but mostly focusing on 5G mobile networks. Some studies explored optimal time windows for botnet detection, often settling on 180 seconds, prioritizing accuracy over speed. Other works utilized shorter time windows, but often at the cost of real-time performance due to clustering or complex feature extraction. The literature showcases a lack of focus on ultra-fast detection (one-second windows) for general TCP/UDP traffic across a wide range of bandwidths. The authors emphasize that their work analyzes TCP/UDP traffic, distinguishing it from other approaches that focus on DNS queries or blacklists. This paper aims to fill this gap by introducing an approach designed for real-time botnet detection across various bandwidths (up to 10 Gbps) utilizing one-second time windows.

The proposed approach consists of two modules: a feature extraction module and a classification module. The feature extraction module divides incoming network traffic into one-second time windows. Within each window, it identifies individual traffic flows (communications between two devices) based on source and destination IP addresses and port numbers. Four features are then extracted for each flow: source port number, destination port number, number of packets, and total bytes transmitted. These features were selected for their computational efficiency, prioritizing speed over potentially more informative features (means, standard deviations). The choice of a one-second time window is deliberate, aligning with the need for near-instantaneous detection and response in intrusion detection systems. The classification module employs a Decision Tree (DT) classifier, chosen for its speed and ease of retraining with new botnet data. The selection of DT was based on prior research comparing DT, Random Forest, k-Nearest Neighbors, and Support Vector Machines, where DT showed the best efficiency. The authors also investigated the performance of the model on saturated networks, simulating a 10% packet loss rate, a level commonly considered acceptable for network operation. This simulation allowed for the evaluation of the method's robustness in real-world, imperfect network conditions. The performance was evaluated through the F1 score in both ideal and saturated network conditions and compared with three state-of-the-art approaches. The hardware requirements for achieving real-time detection were also evaluated across different network bandwidths (100 Mbps, 1 Gbps, and 10 Gbps) using simulations on a Xeon E5-2630v3 CPU to estimate the number of cores necessary for parallelization.

The proposed model, when tested with time windows of one second, demonstrated comparable or even better F1-scores than when using the 180-second windows often suggested in literature. The model showed significant robustness against packet loss, maintaining high F1-scores even with a 10% packet loss rate, unlike some commercial IDSes that drop a high percentage of packets. A comparison with three other state-of-the-art methods revealed that the proposed approach achieved the fastest processing time (0.007 ms per sample) while maintaining a high F1-score of 0.926, only slightly lower than the best-performing model (0.947). This difference in F1-score is minimal compared to the significant improvement in speed (two orders of magnitude faster). The results demonstrated the importance of feature selection, highlighting the detrimental effect of using raw IP addresses as features, as it can overfit to the training dataset and fail to generalize to new data or real scenarios. A modified version of a competing method, that removed IP addresses as features, demonstrated significant performance improvements in terms of F1-score and processing speed. The hardware requirements estimation showed that real-time detection is achievable using 4 CPU cores of 2.4 GHz for 100 Mbps and 1 Gbps networks, and 19 cores for a 10 Gbps network. This indicates the scalability of the proposed approach across various bandwidths. The F1-score for various botnets were also detailed, showing that for most, the performance was almost equivalent when using either 1 second or 180 second time windows.

The findings demonstrate the feasibility of real-time botnet detection on large bandwidths by prioritizing speed and utilizing a highly efficient machine learning model. The use of a one-second time window allows for almost instantaneous detection and response, a substantial improvement over existing methods. The robustness of the system against packet loss highlights its practical applicability in real-world network environments. The significant speed improvement over other state-of-the-art models showcases its suitability for high-bandwidth scenarios, where rapid processing is crucial. The analysis of hardware requirements provides valuable insights for practical implementation and deployment.

This research successfully demonstrates a fast and robust real-time botnet detection system. It uses a Decision Tree classifier and four efficiently calculable features, operating on one-second time windows to achieve near-instantaneous detection. Future work includes testing the model with a more extensive range of botnets, creating a knowledge base for rapid detection, and exploring techniques for detecting more sophisticated botnets that try to evade detection.

The study's primary limitation is the reliance on a specific set of botnets and network traffic data for training and evaluation. The generalizability to unseen botnets and diverse traffic patterns requires further investigation. Additionally, while the 10% packet loss simulation helps assess robustness, it may not fully encapsulate real-world network dynamics. The generalization of hardware requirements to different CPU architectures needs further testing. The focus on TCP/UDP traffic also restricts the applicability to network scenarios where different protocols dominate.