A new scalable botnet detection method in the frequency domain

Abstract

Botnets have become one of the most significant cyber threat over the last decade. The diffusion of the “Internet of Things” and its for-profit exploitation, contributed to botnets spread and sophistication, thus providing real, efficient and profitable criminal cyber-services. Recent research on botnet detection focuses on traffic pattern-based detection, analyzing the network traffic generated by the infected hosts, in order to find malicious behaviors regardless of the specific payload, architecture and protocol. In this chapter, we address the periodic behavior of infected hosts communicating with their Command-and-Control (C2) servers. We introduce an effective, fast and scalable approach based on the layer-5 traffic analysis in the frequency domain, without using the well-known Fast Fourier Transform. The mentioned analysis has been performed exploiting the logs of a wide corporate network and tested on real malware samples, in order to demonstrate its applicability almost in every practical scenario.