Abnormal Behavior Detection to Identify Infected Systems Using the<i> APChain</i> Algorithm and Behavioral Profiling

<table class="fixed-width table-group" id="tab16"><tr><td><table class="table"><colgroup><col style="width:18.00em"/><col style="width:5.05em"/><col style="width:5.00em"/><col style="width:3.97em"/><col style="width:4.12em"/></colgroup><tr><td class="thead-hr" colspan="5"><hr/></td></tr><tr class="thead"><td class="align_left">Category</td><td class="align_center">Accuracy</td><td class="align_center">Precision</td><td class="align_center">Recall</td><td class="align_center">FP rate</td></tr><tr><td class="thead-hr" colspan="5"><hr/></td></tr><tr><td class="align_left">Threshold A (0, 240)<br/><svg height="11.5564pt" id="M204" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 28.8807 11.5564" width="28.8807pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M293 -169V-141C218 -131 209 -90 209 -44C209 19 222 85 222 152C222 207 198 255 139 269V273C199 286 222 334 222 388C222 454 209 523 209 588C209 632 218 671 293 681V709C234 709 148 695 148 577C147 513 155 438 155 372C155 337 152 291 64 285V256C152 250 155 204 155 169C156 105 148 31 148 -41C148 -157 234 -169 293 -169Z" id="g113-124"></path></g><g transform="matrix(.013,0,0,-0.013,4.511,0)"><path d="M536 404C536 423 520 448 491 448C445 448 398 404 308 283L286 338C255 416 242 448 217 448C182 448 138 402 92 341L111 321C149 368 169 378 178 378C188 378 198 363 214 320L254 212C185 117 138 65 107 65C98 65 85 69 82 75C79 82 73 86 65 86C44 86 23 60 23 39C23 7 44 -12 71 -12C119 -12 168 33 265 177L306 61C321 17 347 -12 373 -12C413 -12 465 33 507 96L491 119C459 84 432 60 413 60C395 60 378 92 358 148L321 250C341 279 369 310 389 332C417 363 439 382 456 382C466 382 475 376 481 368C486 361 492 358 496 358C513 358 536 381 536 404Z" id="g113-121"></path></g><g transform="matrix(.013,0,0,-0.013,15.41,0)"><path d="M162 -163V703H101V-163H162Z" id="g113-9"></path></g><g transform="matrix(.013,0,0,-0.013,22.461,0)"><path d="M241 635C89 635 35 457 35 312C35 153 89 -12 240 -12C390 -12 443 166 443 312C443 466 390 635 241 635ZM238 602C329 602 354 454 354 312C354 172 330 22 240 22C152 22 124 173 124 313S148 602 238 602Z" id="g113-49"></path></g></svg>≤ <i>x</i> ≥ 240, <i>x</i>=frequency<svg height="11.5564pt" id="M205" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 4.62754 11.5564" width="4.62754pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M283 255V284C195 290 192 337 192 375C192 436 200 508 200 580C200 696 116 709 54 709V681C127 671 139 634 139 588C138 524 125 452 125 387C125 333 149 286 209 272V268C148 253 125 206 125 151C126 87 139 16 139 -47C139 -92 127 -131 54 -141V-169C115 -169 200 -152 200 -41C200 32 192 104 192 164C192 202 195 249 283 255Z" id="g113-126"></path></g></svg></td><td class="align_center">0.0156</td><td class="align_center">0.0006</td><td class="align_center">1.0</td><td class="align_center">0.9850</td></tr><tr><td class="align_left" colspan="5"><hr/></td></tr><tr><td class="align_left">Threshold B (30, 240)<br/><svg height="11.5564pt" id="M206" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 35.1441 11.5564" width="35.1441pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M293 -169V-141C218 -131 209 -90 209 -44C209 19 222 85 222 152C222 207 198 255 139 269V273C199 286 222 334 222 388C222 454 209 523 209 588C209 632 218 671 293 681V709C234 709 148 695 148 577C147 513 155 438 155 372C155 337 152 291 64 285V256C152 250 155 204 155 169C156 105 148 31 148 -41C148 -157 234 -169 293 -169Z" id="g113-124"></path></g><g transform="matrix(.013,0,0,-0.013,4.511,0)"><path d="M536 404C536 423 520 448 491 448C445 448 398 404 308 283L286 338C255 416 242 448 217 448C182 448 138 402 92 341L111 321C149 368 169 378 178 378C188 378 198 363 214 320L254 212C185 117 138 65 107 65C98 65 85 69 82 75C79 82 73 86 65 86C44 86 23 60 23 39C23 7 44 -12 71 -12C119 -12 168 33 265 177L306 61C321 17 347 -12 373 -12C413 -12 465 33 507 96L491 119C459 84 432 60 413 60C395 60 378 92 358 148L321 250C341 279 369 310 389 332C417 363 439 382 456 382C466 382 475 376 481 368C486 361 492 358 496 358C513 358 536 381 536 404Z" id="g113-121"></path></g><g transform="matrix(.013,0,0,-0.013,15.41,0)"><path d="M162 -163V703H101V-163H162Z" id="g113-9"></path></g><g transform="matrix(.013,0,0,-0.013,22.461,0)"><path d="M285 378C315 398 338 416 353 432C373 451 384 474 384 503C384 579 325 635 236 635H235C182 635 136 610 108 579L65 516L85 496C110 533 150 575 205 575C258 575 300 543 300 481C300 407 232 369 141 339L147 310C163 315 188 321 211 321C268 321 338 284 338 192C338 94 288 40 217 40C160 40 119 68 93 91C85 98 77 97 69 91C60 84 47 71 46 58C44 46 48 35 62 22C75 10 116 -12 162 -12C234 -12 424 62 424 224C424 297 373 359 285 376V378Z" id="g113-52"></path></g><g transform="matrix(.013,0,0,-0.013,28.701,0)"><path d="M241 635C89 635 35 457 35 312C35 153 89 -12 240 -12C390 -12 443 166 443 312C443 466 390 635 241 635ZM238 602C329 602 354 454 354 312C354 172 330 22 240 22C152 22 124 173 124 313S148 602 238 602Z" id="g113-49"></path></g></svg> ≤ <i>x</i> ≥ 240<svg height="11.5564pt" id="M207" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 4.62754 11.5564" width="4.62754pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M283 255V284C195 290 192 337 192 375C192 436 200 508 200 580C200 696 116 709 54 709V681C127 671 139 634 139 588C138 524 125 452 125 387C125 333 149 286 209 272V268C148 253 125 206 125 151C126 87 139 16 139 -47C139 -92 127 -131 54 -141V-169C115 -169 200 -152 200 -41C200 32 192 104 192 164C192 202 195 249 283 255Z" id="g113-126"></path></g></svg></td><td class="align_center">0.9998</td><td class="align_center">0.8571</td><td class="align_center">1.0</td><td class="align_center">0.0001</td></tr><tr><td class="align_left" colspan="5"><hr/></td></tr><tr><td class="align_left">Threshold C (30, 720)<br/><svg height="11.5564pt" id="M208" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 35.1441 11.5564" width="35.1441pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M293 -169V-141C218 -131 209 -90 209 -44C209 19 222 85 222 152C222 207 198 255 139 269V273C199 286 222 334 222 388C222 454 209 523 209 588C209 632 218 671 293 681V709C234 709 148 695 148 577C147 513 155 438 155 372C155 337 152 291 64 285V256C152 250 155 204 155 169C156 105 148 31 148 -41C148 -157 234 -169 293 -169Z" id="g113-124"></path></g><g transform="matrix(.013,0,0,-0.013,4.511,0)"><path d="M536 404C536 423 520 448 491 448C445 448 398 404 308 283L286 338C255 416 242 448 217 448C182 448 138 402 92 341L111 321C149 368 169 378 178 378C188 378 198 363 214 320L254 212C185 117 138 65 107 65C98 65 85 69 82 75C79 82 73 86 65 86C44 86 23 60 23 39C23 7 44 -12 71 -12C119 -12 168 33 265 177L306 61C321 17 347 -12 373 -12C413 -12 465 33 507 96L491 119C459 84 432 60 413 60C395 60 378 92 358 148L321 250C341 279 369 310 389 332C417 363 439 382 456 382C466 382 475 376 481 368C486 361 492 358 496 358C513 358 536 381 536 404Z" id="g113-121"></path></g><g transform="matrix(.013,0,0,-0.013,15.41,0)"><path d="M162 -163V703H101V-163H162Z" id="g113-9"></path></g><g transform="matrix(.013,0,0,-0.013,22.461,0)"><path d="M285 378C315 398 338 416 353 432C373 451 384 474 384 503C384 579 325 635 236 635H235C182 635 136 610 108 579L65 516L85 496C110 533 150 575 205 575C258 575 300 543 300 481C300 407 232 369 141 339L147 310C163 315 188 321 211 321C268 321 338 284 338 192C338 94 288 40 217 40C160 40 119 68 93 91C85 98 77 97 69 91C60 84 47 71 46 58C44 46 48 35 62 22C75 10 116 -12 162 -12C234 -12 424 62 424 224C424 297 373 359 285 376V378Z" id="g113-52"></path></g><g transform="matrix(.013,0,0,-0.013,28.701,0)"><path d="M241 635C89 635 35 457 35 312C35 153 89 -12 240 -12C390 -12 443 166 443 312C443 466 390 635 241 635ZM238 602C329 602 354 454 354 312C354 172 330 22 240 22C152 22 124 173 124 313S148 602 238 602Z" id="g113-49"></path></g></svg> ≤ <i>x</i> ≥ 720<svg height="11.5564pt" id="M209" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 4.62754 11.5564" width="4.62754pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M283 255V284C195 290 192 337 192 375C192 436 200 508 200 580C200 696 116 709 54 709V681C127 671 139 634 139 588C138 524 125 452 125 387C125 333 149 286 209 272V268C148 253 125 206 125 151C126 87 139 16 139 -47C139 -92 127 -131 54 -141V-169C115 -169 200 -152 200 -41C200 32 192 104 192 164C192 202 195 249 283 255Z" id="g113-126"></path></g></svg></td><td class="align_center">0.9856</td><td class="align_center">0.0428</td><td class="align_center">1.0</td><td class="align_center">0.0143</td></tr><tr><td class="align_left" colspan="5"><hr/></td></tr><tr><td class="align_left">Threshold D (90, 720)<br/><svg height="11.5564pt" id="M210" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 35.1441 11.5564" width="35.1441pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M293 -169V-141C218 -131 209 -90 209 -44C209 19 222 85 222 152C222 207 198 255 139 269V273C199 286 222 334 222 388C222 454 209 523 209 588C209 632 218 671 293 681V709C234 709 148 695 148 577C147 513 155 438 155 372C155 337 152 291 64 285V256C152 250 155 204 155 169C156 105 148 31 148 -41C148 -157 234 -169 293 -169Z" id="g113-124"></path></g><g transform="matrix(.013,0,0,-0.013,4.511,0)"><path d="M536 404C536 423 520 448 491 448C445 448 398 404 308 283L286 338C255 416 242 448 217 448C182 448 138 402 92 341L111 321C149 368 169 378 178 378C188 378 198 363 214 320L254 212C185 117 138 65 107 65C98 65 85 69 82 75C79 82 73 86 65 86C44 86 23 60 23 39C23 7 44 -12 71 -12C119 -12 168 33 265 177L306 61C321 17 347 -12 373 -12C413 -12 465 33 507 96L491 119C459 84 432 60 413 60C395 60 378 92 358 148L321 250C341 279 369 310 389 332C417 363 439 382 456 382C466 382 475 376 481 368C486 361 492 358 496 358C513 358 536 381 536 404Z" id="g113-121"></path></g><g transform="matrix(.013,0,0,-0.013,15.41,0)"><path d="M162 -163V703H101V-163H162Z" id="g113-9"></path></g><g transform="matrix(.013,0,0,-0.013,22.461,0)"><path d="M244 635C114 635 38 519 38 422C38 317 111 240 217 240C236 240 255 244 277 256L345 292C311 140 203 39 59 15L64 -15C89 -15 150 -5 204 17C339 72 440 202 440 386C440 521 368 635 244 635ZM228 602C326 602 352 479 352 390C352 370 351 347 348 324C327 308 293 296 258 296C174 296 124 369 124 458C124 517 152 602 228 602Z" id="g113-58"></path></g><g transform="matrix(.013,0,0,-0.013,28.702,0)"><path d="M241 635C89 635 35 457 35 312C35 153 89 -12 240 -12C390 -12 443 166 443 312C443 466 390 635 241 635ZM238 602C329 602 354 454 354 312C354 172 330 22 240 22C152 22 124 173 124 313S148 602 238 602Z" id="g113-49"></path></g></svg> ≤ <i>x</i> ≥ 720<svg height="11.5564pt" id="M211" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 4.62754 11.5564" width="4.62754pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M283 255V284C195 290 192 337 192 375C192 436 200 508 200 580C200 696 116 709 54 709V681C127 671 139 634 139 588C138 524 125 452 125 387C125 333 149 286 209 272V268C148 253 125 206 125 151C126 87 139 16 139 -47C139 -92 127 -131 54 -141V-169C115 -169 200 -152 200 -41C200 32 192 104 192 164C192 202 195 249 283 255Z" id="g113-126"></path></g></svg></td><td class="align_center">0.9854</td><td class="align_center">0.0289</td><td class="align_center">0.6667</td><td class="align_center">0.0143</td></tr><tr><td class="align_left" colspan="5"><hr/></td></tr><tr><td class="align_left">Threshold E (0, ∞)<br/><svg height="11.5564pt" id="M212" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 28.8807 11.5564" width="28.8807pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M293 -169V-141C218 -131 209 -90 209 -44C209 19 222 85 222 152C222 207 198 255 139 269V273C199 286 222 334 222 388C222 454 209 523 209 588C209 632 218 671 293 681V709C234 709 148 695 148 577C147 513 155 438 155 372C155 337 152 291 64 285V256C152 250 155 204 155 169C156 105 148 31 148 -41C148 -157 234 -169 293 -169Z" id="g113-124"></path></g><g transform="matrix(.013,0,0,-0.013,4.511,0)"><path d="M536 404C536 423 520 448 491 448C445 448 398 404 308 283L286 338C255 416 242 448 217 448C182 448 138 402 92 341L111 321C149 368 169 378 178 378C188 378 198 363 214 320L254 212C185 117 138 65 107 65C98 65 85 69 82 75C79 82 73 86 65 86C44 86 23 60 23 39C23 7 44 -12 71 -12C119 -12 168 33 265 177L306 61C321 17 347 -12 373 -12C413 -12 465 33 507 96L491 119C459 84 432 60 413 60C395 60 378 92 358 148L321 250C341 279 369 310 389 332C417 363 439 382 456 382C466 382 475 376 481 368C486 361 492 358 496 358C513 358 536 381 536 404Z" id="g113-121"></path></g><g transform="matrix(.013,0,0,-0.013,15.41,0)"><path d="M162 -163V703H101V-163H162Z" id="g113-9"></path></g><g transform="matrix(.013,0,0,-0.013,22.461,0)"><path d="M241 635C89 635 35 457 35 312C35 153 89 -12 240 -12C390 -12 443 166 443 312C443 466 390 635 241 635ZM238 602C329 602 354 454 354 312C354 172 330 22 240 22C152 22 124 173 124 313S148 602 238 602Z" id="g113-49"></path></g></svg> ≤ <i>x</i> ≥ ∞<svg height="11.5564pt" id="M213" style="vertical-align:-2.26807pt" version="1.1" viewbox="-0.0498162 -9.28833 4.62754 11.5564" width="4.62754pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.013,0,0,-0.013,0,0)"><path d="M283 255V284C195 290 192 337 192 375C192 436 200 508 200 580C200 696 116 709 54 709V681C127 671 139 634 139 588C138 524 125 452 125 387C125 333 149 286 209 272V268C148 253 125 206 125 151C126 87 139 16 139 -47C139 -92 127 -131 54 -141V-169C115 -169 200 -152 200 -41C200 32 192 104 192 164C192 202 195 249 283 255Z" id="g113-126"></path></g></svg></td><td class="align_center">0.0006</td><td class="align_center">0.0006</td><td class="align_center">1.0</td><td class="align_center">1.0</td></tr><tr class="table-tr"><td colspan="5"><hr class="tbody-hr"/></td></tr></table></td></tr></table>

<div>Experimental results for C&amp;C channel detection according to the threshold value.</div>

Security and Communication Networks

tab16

Table 16

Table 16: Abnormal Behavior Detection to Identify Infected Systems Using the<i> APChain</i> Algorithm and Behavioral Profiling 

Security and Communication Networks

Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling

Table 16