Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling
Table 17
Proof for the detection of a pharming attack.
Proof 2. Pharming attack detection
Given an environment:
, where h is a host infected by malware.
.
Calculate the accumulated count if the destination system has the same IP address but different URLs when connecting from the host to the destination system. At this point, if the accumulated count satisfies threshold (), then it is defined as a pharming attack.
ā
, then
ā
At this point, if the URL and IP address requested by the hosts connecting to the destination system are different, then this is considered normal service. However, there are some cases where the hosts infected with pharming request different URLs from the server but they have the same IP address.
Therefore, the set (C) consisting of hosts requesting the same IP address but different URLs from the web server can be categorized as being infected with pharming.
