Description |
Security professionals are in constant battle with the recent trend of sophisticated malware targeting organizations and governments to gain unauthorized access to confidential knowledge and intellectual property. Recent years have also seen the rise of botnets that are often used for sending spam emails, stealing information, as well as launching wide-scale distributed denial of service attacks. Many approaches have been proposed to detect malware infection, but they either rely on end-host installations or require deeppacket inspection for signature matching. In this work, we utilize a common behavior of malware called "beaconing", where an infected node communicates with a command and control server at regular intervals for reporting its liveliness, to detect the presence of malware on an infected node. Using statistical methods for finding periodicity in a time series generated from network flow records, we were able to identify nodes infected with malware present on a large organization network. We evaluated our detection system on a real-world traffic dataset to show the effectiveness of our approach. |