Behavioral classification and detection of malware through HTTP user agent anomalies

  • Kheir N
  • 51

    Readers

    Mendeley users who have this article in their library.
  • 4

    Citations

    Citations of this article.

Abstract

A high proportion of modern botnets uses the HTTP protocol to communicate with its command servers and to perform a wide range of malicious activities. Nonetheless, detection of HTTP botnets is still a real challenge. Botmasters currently implement multiple techniques to hide their activity within the large amount of network traffic. On the other hand, although malware HTTP headers include multiple anomalies, little are being accounted for during detection. This paper analyzes anomalies in the HTTP user agent header field within malware traffic. It presents a taxonomy of malware user agent anomalies and uses this taxonomy in order to propose an appropriate detection mechanism. We observe, within a large set of malware HTTP traffic, that almost one malware out of eight uses a suspicious user agent header in at least one HTTP request. User agent anomalies are still being manually analyzed, whereas thousands of new malware samples are collected daily. This paper shows that a deeper analysis of malware user agents can reveal valuable detection patterns. It uses these patterns to automatically classify user agent anomalies and to extract signatures for malware detection. Our experimental results show that this solution provides a new mechanism that detects yet unknown malware by the time of building the signatures, while also satisfying a very low false positives rate. © 2013 Elsevier Ltd. All rights reserved.

Author-supplied keywords

  • Clustering
  • HTTP user agents
  • Malware detection
  • Signatures

Get free article suggestions today

Mendeley saves you time finding and organizing research

Sign up here
Already have an account ?Sign in

Find this document

Authors

  • Nizar Kheir

Cite this document

Choose a citation style from the tabs below

Save time finding and organizing research with Mendeley

Sign up for free