Abstract
A high proportion of modern botnets uses the HTTP protocol to communicate with its command servers and to perform a wide range of malicious activities. Nonetheless, detection of HTTP botnets is still a real challenge. Botmasters currently implement multiple techniques to hide their activity within the large amount of network traffic. On the other hand, although malware HTTP headers include multiple anomalies, little are being accounted for during detection. This paper analyzes anomalies in the HTTP user agent header field within malware traffic. It presents a taxonomy of malware user agent anomalies and uses this taxonomy in order to propose an appropriate detection mechanism.We observe, within a large set of malware HTTP traffic, that almost one malware out of eight uses a suspicious user agent header in at least one HTTP request. User agent anomalies are still being manually analyzed, whereas thousands of new malware samples are collected daily. This paper shows that a deeper analysis of malware user agents can reveal valuable detection patterns. It uses these patterns to automatically classify user agent anomalies and to extract signatures for malware detection. Our experimental results show that this solution provides a new mechanism that detects yet unknown malware by the time of building the signatures, while also satisfying a very low false positives rate.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
