Automated generation of models for fast and precise detection of HTTP-based malware

Zarras, Apostolis; Papadogiannakis, Antonis; Gawlik, Robert; Holz, Thorsten

doi:10.1109/pst.2014.6890946

Cited by 29 publications

(21 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Xie et al [28] proposed the system called AutoRE which generates regular expression signatures from URL structure to detect botnet-based spam emails and botnet membership. Zallas et al [29] also proposed the idea of generating templates, which are the name-value pairs of the HTTP headers. The generated templates can be used to detect HTTP-based malware.…”

Section: Related Workmentioning

confidence: 99%

Detecting Malware-Infected Devices Using the HTTP Header Patterns

Mizuno

Hatada

Mori

et al. 2018

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

Sho MIZUNO†a) , Nonmember, Mitsuhiro HATADA †, † †b) , Tatsuya MORI †c) , and Shigeki GOTO †d) , Members SUMMARY Damage caused by malware has become a serious problem. The recent rise in the spread of evasive malware has made it difficult to detect it at the pre-infection timing. Malware detection at post-infection timing is a promising approach that fulfills this gap. Given this background, this work aims to identify likely malware-infected devices from the measurement of Internet traffic. The advantage of the traffic-measurementbased approach is that it enables us to monitor a large number of endhosts. If we find an endhost as a source of malicious traffic, the endhost is likely a malware-infected device. Since the majority of malware today makes use of the web as a means to communicate with the C&C servers that reside on the external network, we leverage information recorded in the HTTP headers to discriminate between malicious and benign traffic. To make our approach scalable and robust, we develop the automatic template generation scheme that drastically reduces the amount of information to be kept while achieving the high accuracy of classification; since it does not make use of any domain knowledge, the approach should be robust against changes of malware. We apply several classifiers, which include machine learning algorithms, to the extracted templates and classify traffic into two categories: malicious and benign. Our extensive experiments demonstrate that our approach discriminates between malicious and benign traffic with up to 97.1% precision while maintaining the false positive rate below 1.0%.

show abstract

Section: Related Workmentioning

confidence: 99%

Detecting Malware-Infected Devices Using the HTTP Header Patterns

Mizuno

Hatada

Mori

et al. 2018

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

show abstract

“…Zarras et al [163] introduce BotHound, a detection method for malware communicating over HTTP. The system automatically generates models for benign and malicious requests and classifies new traffic in real-time.…”

Section: Web Traffic Detection and Analysis Systemsmentioning

confidence: 99%

“…This survey identified monitoring and data classification [12,27,121,124,148,156] as well as attack description, profiling and extraction to be a vital part of this stage of ATA identification [41,72,143,156]. Various detection systems spread across all the primary detection domains will help to assemble the picture [28,148,163].…”

Section: Data Provider Selectionmentioning

confidence: 99%

Semantics-aware detection of targeted attacks: a survey

Luh

Marschalek

Kaiser

et al. 2016

J Comput Virol Hack Tech

View full text Add to dashboard Cite

In today's interconnected digital world, targeted attacks have become a serious threat to conventional computer systems and critical infrastructure alike. Many researchers contribute to the fight against network intrusions or malicious software by proposing novel detection systems or analysis methods. However, few of these solutions have a particular focus on Advanced Persistent Threats or similarly sophisticated multi-stage attacks. This turns finding domainappropriate methodologies or developing new approaches into a major research challenge. To overcome these obstacles, we present a structured review of semantics-aware works that have a high potential for contributing to the analysis or detection of targeted attacks. We introduce a detailed literature evaluation schema in addition to a highly granular model for article categorization. Out of 123 identified papers, 60 were found to be relevant in the context of this study. The selected articles are comprehensively reviewed and assessed in accordance to Kitchenham's guidelines for systematic literature reviews. In conclusion, we combine new insights and the status quo of current research into the concept of an ideal systemic approach capable of semantically processing and evaluating information from different observation points.

show abstract

“…We expanded ExecScent to introduce the concept of invariability in substrings in HTTP requests. Zarras et al proposed the BotHound system to focus on the sequence of components in HTTP headers to generate templates [21]. BotProfiler does not use the sequence of HTTP headers, that is, it is a more lightweight system than BotHound.…”

Section: Generating Network-based Signatures or Templatesmentioning

confidence: 99%

BotProfiler: Detecting Malware-Infected Hosts by Profiling Variability of Malicious Infrastructure

Chiba

Yagi

Akiyama

et al. 2016

IEICE Trans. Commun.

View full text Add to dashboard Cite

SUMMARY Ever-evolving malware makes it difficult to prevent it from infecting hosts. Botnets in particular are one of the most serious threats to cyber security, since they consist of a lot of malware-infected hosts. Many countermeasures against malware infection, such as generating networkbased signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system in order to achieve more accurate detection of malware-infected hosts. We focused on the key idea that malicious infrastructures, such as malware samples or command and control, tend to be reused instead of created from scratch. Our research verifies this idea and proposes here a new system to profile the variability of substrings in HTTP requests, which makes it possible to identify invariable keywords based on the same malicious infrastructures and to generate more accurate templates. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.

show abstract

Automated generation of models for fast and precise detection of HTTP-based malware

Cited by 29 publications

References 11 publications

Detecting Malware-Infected Devices Using the HTTP Header Patterns

Detecting Malware-Infected Devices Using the HTTP Header Patterns

Semantics-aware detection of targeted attacks: a survey

BotProfiler: Detecting Malware-Infected Hosts by Profiling Variability of Malicious Infrastructure

Contact Info

Product

Resources

About