Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling

Recent cyber-attacks have used unknown malicious code or advanced attack techniques, such as zero-day attacks, making them extremely difficult to detect using traditional intrusion detection systems. Botnet attacks, for example, are a very sophisticated type of cyber-security threat. Malicious code...

Full description

Bibliographic Details
Main Authors: Jungwoo Seo, Sangjin Lee
Format: Article
Language:English
Published: Hindawi-Wiley 2018-01-01
Series:Security and Communication Networks
Online Access:http://dx.doi.org/10.1155/2018/9706706
id doaj-f7c2e80bf55f40cf90bb8bddfc090c65
record_format Article
spelling doaj-f7c2e80bf55f40cf90bb8bddfc090c652020-11-24T21:56:52ZengHindawi-WileySecurity and Communication Networks1939-01141939-01222018-01-01201810.1155/2018/97067069706706Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral ProfilingJungwoo Seo0Sangjin Lee1Graduate School of Information Security, Korea University, Republic of KoreaGraduate School of Information Security, Korea University, Republic of KoreaRecent cyber-attacks have used unknown malicious code or advanced attack techniques, such as zero-day attacks, making them extremely difficult to detect using traditional intrusion detection systems. Botnet attacks, for example, are a very sophisticated type of cyber-security threat. Malicious code or vulnerabilities are used to infect endpoints. Systems infected with this malicious code connect a communications channel to a command and control (C&C) server and receive commands to perform attacks on target servers. To effectively protect a corporate network’s resources against such threats, we must be able to detect infected systems before an attack occurs. In this paper, an attack pattern chain algorithm (APChain) is proposed to identify infected systems in real-time network environments, and a methodology for detecting abnormal behavior through network-based behavioral profiling is explained. APChain analyzes the attribute information of real-time network traffic, connects chains over time, and conducts behavioral profiling of different attack types to detect abnormal behavior. The dataset used in the experiment employed real-time traffic accumulated over a period of six months, and the proposed algorithm was developed into a prototype for the experiment. The C&C channel detection accuracy was measured at 0.996, the true positive rate at 1.0, and the false positive rate at 0.003. This study proposes a methodology that can overcome the limitations of conventional security mechanisms and suggests an approach to the detection of abnormal behavior in a real-time network environment.http://dx.doi.org/10.1155/2018/9706706
collection DOAJ
language English
format Article
sources DOAJ
author Jungwoo Seo
Sangjin Lee
spellingShingle Jungwoo Seo
Sangjin Lee
Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling
Security and Communication Networks
author_facet Jungwoo Seo
Sangjin Lee
author_sort Jungwoo Seo
title Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling
title_short Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling
title_full Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling
title_fullStr Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling
title_full_unstemmed Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling
title_sort abnormal behavior detection to identify infected systems using the apchain algorithm and behavioral profiling
publisher Hindawi-Wiley
series Security and Communication Networks
issn 1939-0114
1939-0122
publishDate 2018-01-01
description Recent cyber-attacks have used unknown malicious code or advanced attack techniques, such as zero-day attacks, making them extremely difficult to detect using traditional intrusion detection systems. Botnet attacks, for example, are a very sophisticated type of cyber-security threat. Malicious code or vulnerabilities are used to infect endpoints. Systems infected with this malicious code connect a communications channel to a command and control (C&C) server and receive commands to perform attacks on target servers. To effectively protect a corporate network’s resources against such threats, we must be able to detect infected systems before an attack occurs. In this paper, an attack pattern chain algorithm (APChain) is proposed to identify infected systems in real-time network environments, and a methodology for detecting abnormal behavior through network-based behavioral profiling is explained. APChain analyzes the attribute information of real-time network traffic, connects chains over time, and conducts behavioral profiling of different attack types to detect abnormal behavior. The dataset used in the experiment employed real-time traffic accumulated over a period of six months, and the proposed algorithm was developed into a prototype for the experiment. The C&C channel detection accuracy was measured at 0.996, the true positive rate at 1.0, and the false positive rate at 0.003. This study proposes a methodology that can overcome the limitations of conventional security mechanisms and suggests an approach to the detection of abnormal behavior in a real-time network environment.
url http://dx.doi.org/10.1155/2018/9706706
work_keys_str_mv AT jungwooseo abnormalbehaviordetectiontoidentifyinfectedsystemsusingtheapchainalgorithmandbehavioralprofiling
AT sangjinlee abnormalbehaviordetectiontoidentifyinfectedsystemsusingtheapchainalgorithmandbehavioralprofiling
_version_ 1725856841469001728