BotFlex: A community-driven tool for botnet detection

Botnets currently pose the most potent threat to the security and integrity of networked systems. In this paper, we present our experiences of designing, implementing and evaluating BotFlex, which (to the best of our knowledge) is the first open-source network-based tool for botnet detection. BotFlex is designed to support extensibility (in detection parameters and decision elements), flexibility (in configuration), an easy-to-use interface, and real-time operation. While the tool is designed for extension and improvement by community inputs, we report very encouraging accuracy and performance results of our first-cut BotFlex implementation. On a 500 GB trace captured at an ISP with ground truth provided by a commercial security company, BotFlex provides TPR and FPR of 94.4% and 6.6%, respectively – comparable with our baseline state-of-the-art BotHunter tool (TPR: 79.6%, FPR: 6.6%). In addition to accuracy, we observe that BotFlex incurs negligible detection delay, while having good throughput (47 K packets/second) and low processing overhead.