|
Algorithm 1. Behavioral Profiling |
|
Input: Result of Function APChain (T): where T is a collection of network traffic. |
Output: Results of abnormal behavior |
Function Behavioral_Profiling (T): |
, where h is the host infected |
by malware |
, where d represents destination servers |
RRATD field value of APChain |
CCNTI field value of APChain |
AACTTI field value of APChain |
SSCTTI field value of APChain |
while (not stop condition) do |
if Abnormal_Behavior C&C then |
, where m is the C&C server |
/the host attempts to connect to the C&C server/ |
|
|
if Abnormal_Behavior (Pharming) then |
, where m is the fake website |
/the host connects to the fake website/ |
|
|
|
if Abnormal_Behavior (DDoS) then |
, where m is the victim system |
/the host executes a DDoS attack/ |
|
|
if Abnormal_Behavior (IP-spoofed DDoS) then |
|
|
|