Beaconing detection is the identification of periodic or patterned network communications that may indicate malware checking in with command-and-control infrastructure. It matters because compromised systems often call home repeatedly, even when other activity stays quiet or blends into normal traffic.
What is Beaconing Detection?
Detection looks for timing regularity, destination relationships, protocol anomalies, and suspicious low-volume recurring traffic. It is useful for uncovering stealthy post-compromise communication and long-dwell intrusion patterns.
What Beaconing Detection Commonly Supports
Common uses include network detection, malware hunting, C2 discovery, and incident scoping.
Beaconing Detection vs. No Pattern-Based Outbound Monitoring
Beaconing detection looks for recurring communication patterns that suggest external control. Without it, low-and-slow C2 traffic may be easy to miss.
Frequently Asked Questions
Why do attackers use beaconing?
Because periodic callbacks provide a simple way to maintain control and receive instructions without constant noisy traffic.
Can legitimate software look like beaconing?
Yes. Update checks and telemetry can look similar, so enrichment and context matter.
Related Cybersecurity Terms
- DNS Tunneling
- Network Behavior Anomaly Detection (NBAD)
- Indicator Enrichment
- Traffic Shaping Evasion
