Towards Self-Defending SDN Infrastructures: Real-Time Honeypot-Enabled Botnet Detection Using ONOS

Authors

  • Nyamwaga M Kaare Tanzania, United Republic of
  • Anael Elikana Sam Tanzania, United Republic of
Pages Icon

DOI:

https://doi.org/10.63158/journalisi.v8i1.1375

Keywords:

Botnet Detection, Flow Automation, Network Security, ONOS, Software-Defined Networking

Abstract

Modern Software-Defined Networks (SDNs), while benefiting from centralized programmability, remain vulnerable to fast-evolving botnet attacks. This paper presents and evaluates a lightweight ONOS-based honeypot and decoy framework designed to detect and automatically block multi-vector botnet behaviors in real time. The system integrates honeypot-exposed Telnet, SMB, and DNS services with threshold-, entropy-, signature-, and correlation-based inspection within a tree topology (depth = 2, fanout = 4) consisting of five OpenFlow switches and 50 hosts. Quantitatively, the system achieved 100% detection of all signature-based attacks (55/55), 100% blocking of distributed UDP scans (50/50), and 0% false positives on benign decoy access. Median detection latency ranged between 1–3 seconds. True positives (TP), false negatives (FN), false positives (FP), and true negatives (TN) were measured using ground-truth attacker lists built into automated test scripts, yielding precision and recall of 1.00 across all malicious scenarios. This work demonstrates that combining deception with SDN-level flow automation enables effective and computationally efficient botnet defense without machine learning. A key limitation is that all evaluations were conducted exclusively in a controlled Mininet simulation, which may not fully represent real-world traffic dynamics. Future work will validate the system on physical SDN deployments and evaluate its robustness under production workloads.

Downloads

Download data is not yet available.

References

[1] N. Hoque, M. H. Bhuyan, R. C. Baishya, D. K. Bhattacharyya, and J. K. Kalita, “Network attacks: Taxonomy, tools and systems,” J. Netw. Comput. Appl., vol. 40, pp. 307–324, 2014.

[2] M. V. Pawar and J. Anuradha, “Network security and types of attacks in network,” Procedia Comput. Sci., vol. 48, pp. 503–506, 2015.

[3] R. Masoudi and A. Ghaffari, “Software defined networks: A survey,” J. Netw. Comput. Appl., vol. 67, pp. 1–25, 2016.

[4] D. B. Rawat, N. Sapavath, and M. Song, “Performance evaluation of deception system for deceiving cyber adversaries in adaptive virtualized wireless networks,” presented at the Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, 2019, pp. 401–406.

[5] J. Jang-Jaccard and S. Nepal, “A survey of emerging threats in cybersecurity,” J. Comput. Syst. Sci., vol. 80, no. 5, pp. 973–993, 2014.

[6] M. Asadi, M. A. J. Jamali, A. Heidari, and N. J. Navimipour, “Botnets unveiled: A comprehensive survey on evolving threats and defense strategies,” Trans. Emerg. Telecommun. Technol., vol. 35, no. 11, p. e5056, 2024.

[7] F. Haddadi and A. N. Zincir-Heywood, “Botnet detection system analysis on the effect of botnet evolution and feature representation,” presented at the Proceedings of the Companion Publication of the 2015 Annual Conference on Genetic and Evolutionary Computation, 2015, pp. 893–900.

[8] B. Park, S. P. Dang, S. Noh, J. Yi, and M. Park, “Dynamic Virtual Network Honeypot,” presented at the 2019 International Conference on Information and Communication Technology Convergence (ICTC), IEEE, 2019, pp. 375–377.

[9] A. Montazerolghaem, “Software-defined load-balanced data center: design, implementation and performance analysis,” Clust. Comput., vol. 24, no. 2, pp. 591–610, 2021.

[10] Y. Gautam, B. P. Gautam, and K. Sato, “Experimental security analysis of SDN network by using packet sniffing and spoofing technique on POX and Ryu controller,” presented at the 2020 International Conference on Networking and Network Applications (NaNA), IEEE, 2020, pp. 394–399.

[11] D. Kreutz, F. M. Ramos, P. E. Verissimo, C. E. Rothenberg, S. Azodolmolky, and S. Uhlig, “Software-defined networking: A comprehensive survey,” Proc. IEEE, vol. 103, no. 1, pp. 14–76, 2014.

[12] N. M. Yungaicela-Naula, C. Vargas-Rosales, J. A. Pérez-Díaz, and M. Zareei, “Towards security automation in software defined networks,” Comput. Commun., vol. 183, pp. 64–82, 2022.

[13] M. Drašček, S. Slapničar, T. Vuko, and M. Čular, "How Effective Is Your Cybersecurity Audit?," ISACA J., vol. 3, pp. 1-6, 2022.

[14] M. Du and K. Wang, “An SDN-enabled pseudo-honeypot strategy for distributed denial of service attacks in industrial Internet of Things,” IEEE Trans. Ind. Inform., vol. 16, no. 1, pp. 648–657, 2019.

[15] J. Cui, M. Wang, Y. Luo, and H. Zhong, “DDoS detection and defense mechanism based on cognitive-inspired computing in SDN,” Future Gener. Comput. Syst., vol. 97, pp. 275–283, 2019.

[16] Z. Liu, Y. He, W. Wang, and B. Zhang, “DDoS attack detection scheme based on entropy and PSO-BP neural network in SDN,” China Commun., vol. 16, no. 7, pp. 144–155, 2019.

[17] M. Myint Oo, S. Kamolphiwong, T. Kamolphiwong, and S. Vasupongayya, “Advanced support vector machine-(ASVM-) based detection for distributed denial of service (DDoS) attack on software defined networking (SDN),” J. Comput. Netw. Commun., vol. 2019, 2019.

[18] H. Peng, Z. Sun, X. Zhao, S. Tan, and Z. Sun, “A detection method for anomaly flow in software defined network,” IEEE Access, vol. 6, pp. 27809–27817, 2018.

[19] H. Pillutla and A. Arjunan, “Fuzzy self-organizing maps-based DDoS mitigation mechanism for software defined networking in cloud computing,” J. Ambient Intell. Humaniz. Comput., vol. 10, no. 4, pp. 1547–1559, 2019.

[20] A. I. Hassan, E. A. El Reheem, and S. K. Guirguis, “An entropy and machine learning based approach for DDoS attacks detection in software defined networks,” Sci. Rep., vol. 14, no. 1, p. 18159, Aug. 2024, doi: 10.1038/s41598-024-67984-w.

[21] W. Fan and D. Fernández, “A novel SDN based stealthy TCP connection handover mechanism for hybrid honeypot systems,” presented at the 2017 IEEE Conference on Network Softwarization (NetSoft), IEEE, 2017, pp. 1–9.

[22] H. Ichise, Y. Jin, K. Iida, and Y. Takai, “Detection and blocking of anomaly DNS Traffic by analyzing achieved NS record history,” presented at the 2018 Asia-Pacific Signal and Information Processing Association Annual Summit and Conference (APSIPA ASC), IEEE, 2018, pp. 1586–1590.

[23] S. Achleitner, T. F. La Porta, P. McDaniel, S. Sugrim, S. V. Krishnamurthy, and R. Chadha, “Deceiving network reconnaissance using SDN-based virtual topologies,” IEEE Trans. Netw. Serv. Manag., vol. 14, no. 4, pp. 1098–1112, 2017.

[24] F. Ja’fari, S. Mostafavi, K. Mizanian, and E. Jafari, “An intelligent botnet blocking approach in software defined networks using honeypots,” J. Ambient Intell. Humaniz. Comput., vol. 12, no. 2, pp. 2993–3016, 2021.

[25] Tasoskourouniadis, Tasoskourouniadis onos app-samples (Sept. 01, 2023) Java ONOS: Open Network Operating System, Accessed: Dec. 07, 2025. [Online]. Available: https://github.com/Tasoskourouniadis/onos-app-samples-2.7.0

[26] C. Guan and G. Cao, “{Cyber-Physical} Deception Through Coordinated {IoT} Honeypots,” in 34th USENIX Security Symposium (USENIX Security 25), 2025, pp. 529–545.

[27] V. Bashurov and P. Safonov, “Anomaly detection in network traffic using entropy-based methods: application to various types of cyberattacks.,” Issues Inf. Syst., vol. 24, no. 4, 2023.

Downloads

Published

2026-02-12

Issue

Vol. 8 No. 1 (2026): February

Section

Articles

License

Copyright (c) 2026 Journal of Information Systems and Informatics

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

Authors Declaration

  1. The Authors certify that they have read, understood, and agreed to the Journal of Information Systems and Informatics (JournalISI) submission guidelines, policies, and submission declaration. The submission has been prepared using the provided template.
  2. The Authors certify that all authors have approved the publication of this manuscript and that there is no conflict of interest.
  3. The Authors confirm that the manuscript is their original work, has not received prior publication, is not under consideration for publication elsewhere, and has not been previously published.
  4. The Authors confirm that all authors listed on the title page have contributed significantly to the work, have read the manuscript, attest to the validity and legitimacy of the data and its interpretation, and agree to its submission.
  5. The Authors confirm that the manuscript is not copied from or plagiarized from any other published work.
  6. The Authors declare that the manuscript will not be submitted for publication in any other journal or magazine until a decision is made by the journal editors.
  7. If the manuscript is finally accepted for publication, the Authors confirm that they will either proceed with publication immediately or withdraw the manuscript in accordance with the journal’s withdrawal policies.
  8. The Authors agree that, upon publication of the manuscript in this journal, they transfer copyright or assign exclusive rights to the publisher, including commercial rights

How to Cite

[1]
N. M. Kaare and A. E. Sam, “Towards Self-Defending SDN Infrastructures: Real-Time Honeypot-Enabled Botnet Detection Using ONOS”, journalisi, vol. 8, no. 1, pp. 69–86, Feb. 2026, doi: 10.63158/journalisi.v8i1.1375.