|
| Algorithm 1. Behavioral Profiling |
|
| Input: Result of Function APChain (T): where T is a collection of network traffic. |
| Output: Results of abnormal behavior |
| Function Behavioral_Profiling (T): |
| , where h is the host infected |
| by malware |
| , where d represents destination servers |
| RRATD field value of APChain |
| CCNTI field value of APChain |
| AACTTI field value of APChain |
| SSCTTI field value of APChain |
| while (not stop condition) do |
| if Abnormal_Behavior C&C then |
| , where m is the C&C server |
| /the host attempts to connect to the C&C server/ |
|
|
| if Abnormal_Behavior (Pharming) then |
| , where m is the fake website |
| /the host connects to the fake website/ |
|
|
|
| if Abnormal_Behavior (DDoS) then |
| , where m is the victim system |
| /the host executes a DDoS attack/ |
|
|
| if Abnormal_Behavior (IP-spoofed DDoS) then |
|
|
|
