Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling
Table 20
Proof of the detection of an IP-spoofing DDoS botnet.
Proof 3. IP-spoofing DDoS botnet detection
Given an environment:
, where h is a host infected by malware.
, where s is a web server.
Calculate the accumulated count if the connection cycle from the host to the destination system satisfies condition (x), and it is defined as DDoS if the accumulated count (ac) satisfies threshold (). If the IP address of the origin host is modified via forgery, it is detected as an IP-spoofing botnet.
if x=true, then
if
However, if DDoS occurs, the connection cycle is close to 0, and there is a large amount of network traffic. Therefore, calculate the accumulated count threshold () when the traffic occurrence cycle is equal or similar to 0, or when the connection cycle of a particular web server (S) is equal or similar to 0. On this occasion, if it satisfies the condition (ac≥), then it is categorized as a DDoS attack.
To detect an IP-spoofing DDoS botnet, the set (C) of the hosts with the same MAC address but different origin IP address is categorized as the one infected with a botnet.
, where h is a host infected with an IP-spoofing DDoS botnet.
