Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling
Recent cyber-attacks have used unknown malicious code or advanced attack techniques, such as zero-day attacks, making them extremely difficult to detect using traditional intrusion detection systems. Botnet attacks, for example, are a very sophisticated type of cyber-security threat. Malicious code...
Main Authors: | , |
---|---|
Format: | Article |
Language: | English |
Published: |
Hindawi-Wiley
2018-01-01
|
Series: | Security and Communication Networks |
Online Access: | http://dx.doi.org/10.1155/2018/9706706 |
id |
doaj-f7c2e80bf55f40cf90bb8bddfc090c65 |
---|---|
record_format |
Article |
spelling |
doaj-f7c2e80bf55f40cf90bb8bddfc090c652020-11-24T21:56:52ZengHindawi-WileySecurity and Communication Networks1939-01141939-01222018-01-01201810.1155/2018/97067069706706Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral ProfilingJungwoo Seo0Sangjin Lee1Graduate School of Information Security, Korea University, Republic of KoreaGraduate School of Information Security, Korea University, Republic of KoreaRecent cyber-attacks have used unknown malicious code or advanced attack techniques, such as zero-day attacks, making them extremely difficult to detect using traditional intrusion detection systems. Botnet attacks, for example, are a very sophisticated type of cyber-security threat. Malicious code or vulnerabilities are used to infect endpoints. Systems infected with this malicious code connect a communications channel to a command and control (C&C) server and receive commands to perform attacks on target servers. To effectively protect a corporate network’s resources against such threats, we must be able to detect infected systems before an attack occurs. In this paper, an attack pattern chain algorithm (APChain) is proposed to identify infected systems in real-time network environments, and a methodology for detecting abnormal behavior through network-based behavioral profiling is explained. APChain analyzes the attribute information of real-time network traffic, connects chains over time, and conducts behavioral profiling of different attack types to detect abnormal behavior. The dataset used in the experiment employed real-time traffic accumulated over a period of six months, and the proposed algorithm was developed into a prototype for the experiment. The C&C channel detection accuracy was measured at 0.996, the true positive rate at 1.0, and the false positive rate at 0.003. This study proposes a methodology that can overcome the limitations of conventional security mechanisms and suggests an approach to the detection of abnormal behavior in a real-time network environment.http://dx.doi.org/10.1155/2018/9706706 |
collection |
DOAJ |
language |
English |
format |
Article |
sources |
DOAJ |
author |
Jungwoo Seo Sangjin Lee |
spellingShingle |
Jungwoo Seo Sangjin Lee Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling Security and Communication Networks |
author_facet |
Jungwoo Seo Sangjin Lee |
author_sort |
Jungwoo Seo |
title |
Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling |
title_short |
Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling |
title_full |
Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling |
title_fullStr |
Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling |
title_full_unstemmed |
Abnormal Behavior Detection to Identify Infected Systems Using the APChain Algorithm and Behavioral Profiling |
title_sort |
abnormal behavior detection to identify infected systems using the apchain algorithm and behavioral profiling |
publisher |
Hindawi-Wiley |
series |
Security and Communication Networks |
issn |
1939-0114 1939-0122 |
publishDate |
2018-01-01 |
description |
Recent cyber-attacks have used unknown malicious code or advanced attack techniques, such as zero-day attacks, making them extremely difficult to detect using traditional intrusion detection systems. Botnet attacks, for example, are a very sophisticated type of cyber-security threat. Malicious code or vulnerabilities are used to infect endpoints. Systems infected with this malicious code connect a communications channel to a command and control (C&C) server and receive commands to perform attacks on target servers. To effectively protect a corporate network’s resources against such threats, we must be able to detect infected systems before an attack occurs. In this paper, an attack pattern chain algorithm (APChain) is proposed to identify infected systems in real-time network environments, and a methodology for detecting abnormal behavior through network-based behavioral profiling is explained. APChain analyzes the attribute information of real-time network traffic, connects chains over time, and conducts behavioral profiling of different attack types to detect abnormal behavior. The dataset used in the experiment employed real-time traffic accumulated over a period of six months, and the proposed algorithm was developed into a prototype for the experiment. The C&C channel detection accuracy was measured at 0.996, the true positive rate at 1.0, and the false positive rate at 0.003. This study proposes a methodology that can overcome the limitations of conventional security mechanisms and suggests an approach to the detection of abnormal behavior in a real-time network environment. |
url |
http://dx.doi.org/10.1155/2018/9706706 |
work_keys_str_mv |
AT jungwooseo abnormalbehaviordetectiontoidentifyinfectedsystemsusingtheapchainalgorithmandbehavioralprofiling AT sangjinlee abnormalbehaviordetectiontoidentifyinfectedsystemsusingtheapchainalgorithmandbehavioralprofiling |
_version_ |
1725856841469001728 |