Abstract-Botnets create harmful attacks nowadays. Lawbreaker may implant malware into victim machines using botnets and, furthermore, he employs fast-flux domain technology to improve the lifetime and robustness of botnets. To circumvent the detection of command and control servers, a set of bots is selected to redirect malicious communication and hides the communication within normal traffic. As the dynamics of fast-flux domains, blacklist mechanism is not efficient to prevent fast-flux botnet attacks. It would be time consuming to examine the legitimacy of the domains of all the connections. Therefore, a lightweight detection of malicious fast-flux domains is desired. Based on the time-space behaviors of malicious fast-flux domains, the network behaviors of domains are formulized in this study to reduce the time complexity of modeling features. According to the experimental results, the malicious fast-flux domains collected from the real networks are identified efficiently and the proposed solution outperforms the blacklists.Index Terms-Botnet, fast-flux domain, malware, command and control server.