Online Botnet Detection Based on Incremental Discrete Fourier Transform

Botnet detection has attracted lots of attention since botnet attack is becoming one of the most serious threats on the Internet. But little work has considered the online detection. In this paper, we propose a novel approach that can monitor the botnet activities in an online way. We define the concept of “feature streams” to describe raw network traffic. If some feature streams show high similarities, the corresponding hosts will be regarded as suspected bots which will be added into the suspected bot hosts set. After activity analysis, bot hosts will be confirmed as soon as possible. We present a simple method by computing the average Euclidean distance for similarity measurement. To avoid huge calculation among feature streams, classical Discrete Fourier Transform (DFT) technique is adopted. Then an incremental calculation of DFT coefficients is introduced to obtain the optimal execution time. The experimental evaluations show that our approach can detect both centralized and distributed botnet activities successfully with high efficiency and low false positive rate.