Detection of beaconing behavior in network traffic

What is claimed is: 1 . A method, comprising: preprocessing network records to identify candidate source and destination pairs for detecting beaconing behavior, each source and destination pair being associated with specific time intervals in a plurality of time intervals forming a time range, the time interval and time range having been predefined; converting the activity time interval information from a time domain into a frequency domain; and determining candidate frequencies from the source and destination pairs, as likely candidate frequencies/periodicities of beaconing activities. 2 . The method of claim 1 , further comprising: prior to the converting into the frequency domain, rescaling/aggregating time intervals such that a plurality of data sets with different time interval resolutions/time ranges are included in the plurality of time intervals for each source and destination pair; converting the plurality of data sets into the frequency domain; and analyzing activity time interval information for each source and destination pair. 3 . The method of claim 2 , further comprising receiving a user input to define parameters for the rescaling/aggregating time intervals. 4 . The method of claim 2 , further comprising storing the processed network records and the time interval data as rescaled/aggregated, for use in future evaluations. 5 . The method of claim 2 , wherein the activity time interval information analyzing comprises: calculating a power of each srcID, dstID pair in the frequency domain; comparing the power of each srcID, dstID pair with a predetermined power threshold value; and adding the srcID, dstID pair to a list of candidate frequencies if its power level exceeds the predetermined power threshold value. 6 . The method of claim 5 , further comprising evaluating each srcID, dstID pair on the list of candidate frequencies by: calculating a score of periodicity strength for each candidate frequency; comparing each periodicity strength score with a predetermined periodicity strength threshold value; adding, to a listing of candidate periodicities, data for any source/destination pair whose periodicity strength score exceeds the periodicity strength threshold value; and ranking the source and destination pairs based on ordering the periodicity scores for the candidate periodicities. 7 . The method of claim 6 , wherein the periodicity score is calculated by a weighted combination of a dominance score and an autocorrelation score for each candidate source/destination pair. 8 . The method of claim 6 , further comprising, prior to the comparing with the periodicity strength threshold value, adjusting the periodicity strength score of each candidate source/destination pair based on at least one characteristic. 9 . The method of claim 7 , wherein the at least one characteristic comprises at least one of: a popularity measurement; a language model evaluation of a domain name; and at least one measurement of interval statistics. 10 . The method of claim 1 , wherein preprocessing network records further comprises: comparing source and destination identifiers to a white list; and excluding from further evaluation those records having an identifier on the white list. 11 . The method of claim 1 , wherein the converting from the time domain to the frequency domain uses a Discrete Fourier Transform (DFT) as modified with a permutation filter. 12 . The method of claim 1 , wherein the analyzing of source and destination pairs further comprises filtering out improbable frequencies using a permutation filter. 13 . The method of claim 1 , as implemented in one of; a network server or gateway that monitors network activity for a web site or a local area network; a server or computer accessible for providing monitoring services to client computers or networks that are selectively connected to the server; and a cloud service. 14 . The method of claim 1 , as embodied in a set of computer-readable instructions that is tangibly stored in a non-transitory memory device. 15 . The method of claim 14 , wherein the non-transitory memory device comprises one of: a memory device on a computer currently executing the method; a memory device on a computer that can selectively execute the method; a memory device on a computer that can selectively dispatch the computer-readable instructions to another computer via a network; and a standalone, non-transitory memory device that stores the computer-readable instructions to be uploaded into a computer memory via an input port. 16 . A method of deploying computer resources, said method comprising provisioning a memory device in a server accessible via a network with a set of computer-readable instructions for a computer to execute a method detecting beaconing behavior, wherein the method comprises: receiving network records for a site being evaluated beaconing behavior; preprocessing the network records to identify candidate source and destination pairs for detecting beaconing behavior, each source and destination pair being associated with a specific time interval in a plurality of time intervals forming a time range, the time interval and time range having been predefined; converting the activity time interval information from a time domain into a frequency domain; and determining candidate frequencies from the source and destination pairs as likely candidate frequencies/periodicities of beaconing activities. 17 . The method of claim 16 , wherein the server one of: executes the method of detecting beaconing behavior based on network data received from a local area network of computers for which the server serves as a network portal; receives a request from a computer via the network to execute the method of detecting beaconing behavior, receives data from the requesting computer to be processed by the method, and returns to the requesting computer a result of executing the method on the received data; and receives a request from a computer via the network to execute the method and transmits the set of computer-readable instructions to the requesting computer to itself execute the method of detecting beaconing behavior. 18 . The method of claim 16 , wherein the server provides a service of executing the method of detecting beaconing behavior as a cloud service.