<![CDATA[Modern Software-Defined Networks (SDNs), while benefiting from centralized programmability, remain vulnerable to fast-evolving botnet attacks. This paper presents and evaluates a lightweight ONOS-based honeypot and decoy framework designed to detect and automatically block multi-vector botnet behaviors in real time. The system integrates honeypot-exposed Telnet, SMB, and DNS services with threshold-, entropy-, signature-, and correlation-based inspection within a tree topology (depth = 2, fanout = 4) consisting of five OpenFlow switches and 50 hosts. Quantitatively, the system achieved 100% detection of all signature-based attacks (55/55), 100% blocking of distributed UDP scans (50/50), and 0% false positives on benign decoy access. Median detection latency ranged between 1–3 seconds. True positives (TP), false negatives (FN), false positives (FP), and true negatives (TN) were measured using ground-truth attacker lists built into automated test scripts, yielding precision and recall of 1.00 across all malicious scenarios. This work demonstrates that combining deception with SDN-level flow automation enables effective and computationally efficient botnet defense without machine learning. A key limitation is that all evaluations were conducted exclusively in a controlled Mininet simulation, which may not fully represent real-world traffic dynamics. Future work will validate the system on physical SDN deployments and evaluate its robustness under production workloads.]]>
