Periodic Behavior in Botnet Command and Control Channels Traffic

A botnet is a large network of bots that are under the control of a bot herder. Botnets have become a significant threat to network communications and applications. Botnets' execution relies on Command and Control (C2) communication channels traffic, which occur prior to the attack activity itself. Therefore, the detection of C2 communication channels traffic enables the detection of the members of a botnet before any target is attacked. We study the periodic behavior of C2 traffic that is caused by the pre-programmed behavior of bots to check for and download updates every T seconds. We use this periodic behavior of the C2 traffic to detect bots. This involves evaluating the periodogram of traffic in the monitored network. Then applying Walker's large sample test to the maximum ordinate of the periodogram to determine if it is due to a high periodic component in the traffic or not, and, if it is, then it is bot traffic. We apply the test to a TinyP2P botnet generated by SLINGbot and show a strong periodic behavior in the bots traffic. We study the effect of the period's length and duty cycle of the C2 traffic on the test performance and find that it increases with the increase of the duty cycle and/or the decrease of the period length. We analyze the test's performance in the presence of injected random noise traffic and develop a lower and an upper bounds for the test performance.