||More recently, the problems of targeted attack have been the major subject of study in the fields of network attack research due to the increase of network usage. In the past few years, study in network attacks analysis has shifted its focus from random attack to targeted attack, such as DDoS, APT, and Ransomware. The features of targeted attack are probing the vulnerable hosts of targeted enterprises for a long-term period, entice someone by several methods such as social network, malicious websites, C&C then execute attack behaviors such as intrusion of important system by malware to paralyze the service or steal secret data.|
Computers are becoming a part of our everyday life, thus the internet data are becoming larger day by day, which makes administering such gigantic data a challenging task. It is becoming more difficult to analyze the malicious behaviors in a long-term period. Accordingly, this study associated multiple data source to assemble gigantic log data before filtering malicious features to recognize the behavior module when hackers attack the vulnerable systems. First by extracting the correct feature sets by two-stage feature reduction. The first stage, rough set theory is utilized to extract the critical characteristics to find out the feature sets of targeted attacks. The second stage, the chi-square test is employed to confirm the applicable to judge the targeted attack. Then, risk values of each stage are calculated to early alert the administrator to estimate the hazardous IP address. The experiment shows that two-stage feature reduction improves the effect of filtering to enhance the detection rate. By accurately measuring risk for enterprise networks, our system allows network defenders to discover the most critical threats and select the most effective countermeasure.