The distributed detection of botnets may induce heavy computation and communication costs to network devices. Each device in related scheme only has a regional view of Internet,so it is hard to detect botnet comprehensively. In this paper,we propose a lightweight real-time botnet detection framework called BotGuard,which uses the global landscape and flexible configurability of software defined network(SDN)to identify botnets promptly. SDN,as a new network framework,can make centralized control in botnet detection,but there are still some challenges in such detections. We give a convex lens imaging graph(CLI-graph)to depict the topology characteristics of botnet,which allows SDN controller to locate attacks separately and mitigate the burden of network devices. The theoretical and experimental results prove that our scheme is capable of timely botnet detecting in SDNs with the accuracy higher than 90% and the delay less than 56 ms. The distributed detection of botnets may induce heavy computation and communication costs to network devices. Each device in related scheme only has a regional view of Internet, so it is hard to detect botnet comprehensively. In this paper, we propose a lightweight real-time botnet detection framework called BotGuard, which uses the global landscape and flexible configurability of software defined network (SDN) to identify botnets promptly. SDN, as a new network framework, can make centralized control in botnet detection, but there are still some challenges in such detections The theory and experimental results prove that our scheme is capable of timely. botnet detecting in SDNs with the accuracy higher than 90% and the delay less than 56 ms.