IEEE Access (Jan 2024)
<italic>BotFence</italic>: A Framework for Network-Enriched Botnet Detection and Response With SmartNICs
Abstract
The scale of botnet attacks is on the rise, yet traditional network security systems are inadequate to effectively respond to these threats, primarily due to high false positive rates and the extensive manpower required for analysis. In contrast, the cutting-edge method of intrusion detection, known as provenance-based analysis, offers a novel paradigm by establishing causality between host events for meticulous examination. Nonetheless, this method faces challenges in analyzing the payload of network packets, which contains critical attack information resides, due to performance efficiency constraints from packet inspection. To address these challenges, we introduce BotFence, a pioneering approach that integrates payload inspection of network packets with provenance-based analysis to enhance botnet intrusion detection and response. Notably, our system leverages SmartNICs to minimize the impact on network performance. Our system initially gathers and analyzes events within the host system, representing them as Tactics, Techniques, and Procedures (TTP). Concurrently, it collects and scrutinizes the network packets associated with these events, integrating the relationships between these TTPs and the collected network data into a Network-enhanced Threat Provenance Graph (NTPG) model that we devised. Consequently, our system provides a comprehensive security analysis of the network with minimal overhead. Demonstrations with complex attack scenarios show that BotFence successfully identifies and mitigates automated botnet infection in real time, analyzing more than 99. 9% host events in 1 ms, without degrading network performance.
Keywords
