Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling
Table 8
Hypothesis for detecting IP-spoofing DDoS botnets.
Hypothesis 3. IP-spoofing DDoS botnet detection
Given an environment:
Let , where t represents the network traffic, and is the traffic currently being analyzed.
Let , where h is a host infected with malicious code.
Let , where d represents a target system for DDoS attack.
HD, the infected host executes a DDoS attack on the target system.
A host infected with an IP-spoofing DDoS botnet receives an attack command from the C&C server and implements a DDoS attack, and the origin IP address of the host attacking with DDoS is modified. At that time, a DDoS attack can be suspected if the host sends large amounts of traffic to the destination system. Also, an IP-spoofing DDoS botnet can be categorized if a particular host has a different origin IP address but the same MAC address.
Therefore, the set (G) consists of hosts that perform IP-spoofing DDoS attacks.
