A Malware Beacon of Botnet by Local Periodic Communication Behavior

Botnets are one of most serious threats in cyber security. Many previous studies have been proposed for botnet detection. Among those approaches, one of main tracks focuses on extracting informative features from network traffic flows. Nevertheless, most features of interest are extracted from the information of a single connection, such as flow duration, flow packet size etc. In this paper, we proposed an novel feature, which is able to detect a long-term behavior of botnets. More specifically, we aim to extract a malware beacon from the periodic communication between bots and bot master. Besides the regular communication pattern, we also explore several types of botnet behavior to leverage the effectiveness of the proposed feature. Our experimental results show that our proposed periodic communication signature could be one of effective features for detecting compromised devices.