Beaconing Detection Using FFT — Technical Deep Dive
How DKTrace's NTA engine uses Fast Fourier Transforms on inter-packet timing sequences to detect C2 beaconing in encrypted traffic — with no payload inspection. Works on TLS 1.3, QUIC, and DNS-over-HTTPS.
DKTrace Research Team
Security Engineering · Threat Research
Why Encrypted Traffic Is Not a Safe Harbour for C2
C2 implants communicate with their operators on a schedule. Even when traffic is fully encrypted via TLS 1.3 or QUIC, this regularity creates a timing signature detectable via frequency analysis — no payload decryption required.
The FFT Approach
For each external connection flow, DKTrace's nta-engine collects a time series of inter-packet arrival times (IPATs):
timestamps = [t0, t1, t2, ..., t_n]
ipat_series = [t1-t0, t2-t1, ..., t_n - t_{n-1}]
fft_result = numpy.fft.rfft(ipat_series)
dominant_freq = fft_result[argmax(abs(fft_result[1:]))]
beacon_period = 1 / dominant_freqIf dominant_freq has magnitude > 3σ above the noise floor AND beacon_period is between 10s and 3600s — classic C2 territory — the flow is flagged as a beaconing candidate.
JA3/JARM Fingerprinting
Simultaneously, DKTrace computes:
Both are matched against the threat-intel-manager's IOC database (1.2M+ entries) in < 0.5ms via Redis bloom filter.
A JARM match alone (known malicious C2 server TLS config) is enough for a HIGH confidence alert even without the FFT signal.
Jitter-Aware Detection
Sophisticated C2 frameworks add random jitter to beacon intervals. DKTrace accounts for this:
Production Results (30-Day Banking Deployment)
| C2 Framework | Beacon Config | Detection Time |
|---|---|---|
| Cobalt Strike | 60s, 10% jitter | 14 minutes |
| Sliver C2 | HTTPS | 3 minutes (JARM match) |
| DNS beaconing | A record queries | 22 minutes |
| Custom implant | 300s, no jitter | 8 minutes |
See It Live
Watch DKTrace detect this threat in your environment
Our engineers will run a live detection simulation against a sample of your log telemetry — no agents, no commitment.
Request a Live Demo