Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling
Table 4
The hypothesis for C&C channel detection.
Hypothesis 1. C&C channel detection
Given an environment:
Let , where t represents the network traffic, and is the traffic currently being analyzed.
Let , where h represents a host infected by malicious code.
Let , where s represents a C&C server.
HS, the infected host attempts to connect to the C&C server.
A host infected with a botnet creates a C&C channel in order to communicate periodically with the C&C server. As a result, the frequency that a host connects to a particular system increases, and if this pattern is repeated often enough, it can be considered to be unusual traffic. At this point, the host and the C&C server receive attack commands or update binary files while repeating the connection requests and responses.
Therefore, the set (G) of C&C channels can be formed by detecting and grouping the requests from hosts connecting to the C&C server.
