Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling
Table 14
Proof for the detection of C&C channels.
Proof 1. Detection of C&C channels
Given an environment,
, where h is a host infected with malware.
, where s is a C&C server.
If the connection cycle from the host to the destination system satisfies condition (x), then calculate the accumulated count (ac), and if the accumulated count satisfies threshold (), then this is defined as a C&C channel.
(where R is RATD field value of APChain)
,
if x=true, then (where is the record number of APChain)
ā
At this point, if the host is not communicating with the C&C server, the host is not infected with a botnet. Accordingly, a host infected with a botnet will maintain the C&C channel while periodically connecting to the C&C server.
Therefore, a C&C channel can be categorized if false positives are excluded from the set (C) of hosts suspected to be a C&C channel.
