COFFEE: a Concept based on OpenFlow to Filter and Erase Events of botnet activity at high-speed nodes

It is a great challenge to tackle the increasing threat of botnets to contemporary networks. The community developed a lot of approaches to detect botnets. Their fundamental idea differs and may be grouped according to the location (e.g., host-based, network-based), data sets (e.g., full network packets, packet header information), and algorithms (e.g., signature based, anomaly based). However, if applied to high-speed networks like nodes of an Internet service provider (ISP) currently proposed methods suffer from two drawbacks. First, the false positive rate is too high to be used in an operational environment. Second, mitigation and reaction is not addressed. In this paper we introduce COFFEE, our concept of a botnet detection and mitigation framework at large-scale networks. The overall goal of COFFEE is to keep operational costs to a minimum. The detection part of COFFEE comprises two phases: the first one processes the whole traffic to filter candidates of a command-and-control communication using NetFlow-based detection algorithms. In order to decrease the false positive rate, suspected network connections are inspected in more detail in the second phase. The second phase makes use of the concept of Software-Defined Networking (SDN), which is currently deployed in some networks. If the detection yields an alert, SDN again is used to react (e.g., to drop suspect connections).