검색 상세

Abnormal Behavior Detection to Identify Infected Systems through an APChain and Behavioral Profiling

Abnormal Behavior Detection to Identify Infected Systems through an APChain and Behavioral Profiling

  • 서정우 (Jungwoo Seo, 정보보호대학원 정보보호학과 )

초록/요약

Recent cyber-attacks have used unknown malicious code or advanced attack techniques such as zero-day attacks, making them extremely dicult to detect using traditional intrusion detection systems. Botnet attacks, for example, are a very sophisticated type of cyber-security threat. Malicious code or vulnerabilities are used to infect endpoints. Systems infected with this malicious code connect a communications channel to a command and control (C&C) server and receive commands to perform attacks on target servers. To e ectively protect a corporate network's resources against such threats, we must be able to detect infected systems before an attack occurs. In this paper, an attack pattern chain algorithm (APChain) is proposed to identify infected systems in real-time network environments, and a methodology for detecting abnormal behavior through network-based behavioral pro ling is explained. APChain analyzes the attribute information of network trac, connects chains over time, and conducts behavioral pro ling of di erent attack types to detect abnormal behavior. The dataset used in the experiment employed network trac accumulated over a period of six months, and the proposed algorithm was developed into a prototype for the experiment. The C&C channel detection accuracy was measured at 0.996, the true positive at 1.0, and the false positive at 0.003. This study proposes a methodology that can overcome the limitations of conventional security mechanisms and suggests an approach to the detection of abnormal behavior in a real-time network environment.

more

목차

Contents
1 Introduction 1
1.1 Motivation and Contributions 3
1.2 Composition of thesis 4
2 Related Work 6
2.1 Command and Control (C&C) channel 8
2.1.1 Division of C&C channels 8
2.1.2 Technologies used in C&C channel 10
2.1.3 Feature extraction for C&C channel detection 11
2.1.4 Previous work on C&C channel detection 15
2.2 Pharming 18
2.2.1 Procedures of pharming attack 18
2.2.2 Techniques of pharming attack 19
2.2.3 Previous work on pharming attack 19
2.3 IP-spoofing DDoS botnet 21
2.3.1 Techniques of DDoS attack 21
2.3.2 Previous work on DDoS attack 23
3 System Overview 25
3.1 Attack pattern chain algorithm (APChain) 26
3.1.1 Flow attributes 26
3.1.2 Feature extraction for creation APChain 27
3.1.3 Traffic correlation using APChain 31
3.2 Behavioral Profiling 33
3.3 Elimination of whitelist-based false positives 35
3.4 Characteristics of a C&C channels and their detection method 37
3.4.1 Characteristics of a C&C channels 37
3.4.2 C&C channel detection method 37
3.5 Characteristics of pharming 39
3.6 Characteristics of IP-spoofing DDoS botnets 41
4 System Model 43
4.1 Collection of network traffic 43
4.2 Extraction of the attribute information 43
4.3 Attack Pattern Chain (APChain) creation 44
4.4 Abnormal behavior detection using behavioral profiling 45
4.4.1 C&C channel detection [Case study A] 45
4.4.2 Pharming attack detection [Case study B] 50
4.4.3 IP-spoofing DDoS botnet detection [Case study C] 53
5 Experimental Evaluation 57
5.1 Experimental environment and performance 58
5.2 Test dataset 58
5.3 APChain creation 61
5.4 Performance evaluation 62
5.4.1 C&C channel detection [Case study A] 62
5.4.2 Pharming attack detection [Case study B] 67
5.4.3 IP-spoo ng DDoS botnet detection [Case study C] 70
5.5 Performance capacity 72
5.6 Performance comparison with existing research 74
6 Conclusion 77
A The behavior model of network traffic using APChain 90
B APChain implementation 93
C Behavioral profiling (C&C channel detection) implementation 99
D Behavioral profiling (Pharming) implementation 101
E Behavioral profiling (IP-spoofing DDoS botnet) implementation 105

more
반출 Meta View 목록