Malware detection using HTTP user-agent discrepancy identification

2014 IEEE International Workshop on Information Forensics and Security (WIFS) Pub Date : 2014-12-01 DOI:10.1109/WIFS.2014.7084331

Martin Grill, M. Rehák

{"title":"Malware detection using HTTP user-agent discrepancy identification","authors":"Martin Grill, M. Rehák","doi":"10.1109/WIFS.2014.7084331","DOIUrl":null,"url":null,"abstract":"Botnet detection systems that use Network Behavioral Analysis (NBA) principle struggle with performance and privacy issues on large-scale networks. Because of that many researchers focus on fast and simple bot detection methods that at the same time use as little information as possible to avoid privacy violations. Next, deep inspections, reverse engineering, clustering and other time consuming approaches are typically unfeasible in large-scale networks. In this paper we present a novel technique that uses User- Agent field contained in the HTTP header, that can be easily obtained from the web proxy logs, to identify malware that uses User-Agents discrepant with the ones actually used by the infected user. We are using statistical information about the usage of the User-Agent of each user together with the usage of particular User-Agent across the whole analyzed network and typically visited domains. Using those statistics we can identify anomalies, which we proved to be caused by malware-infected hosts in the network. Because of our simple and computationally inexpensive approach we can inspect data from extremely large networks with minimal computational costs.","PeriodicalId":220523,"journal":{"name":"2014 IEEE International Workshop on Information Forensics and Security (WIFS)","volume":"13 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"28","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 IEEE International Workshop on Information Forensics and Security (WIFS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/WIFS.2014.7084331","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 28

Abstract

Botnet detection systems that use Network Behavioral Analysis (NBA) principle struggle with performance and privacy issues on large-scale networks. Because of that many researchers focus on fast and simple bot detection methods that at the same time use as little information as possible to avoid privacy violations. Next, deep inspections, reverse engineering, clustering and other time consuming approaches are typically unfeasible in large-scale networks. In this paper we present a novel technique that uses User- Agent field contained in the HTTP header, that can be easily obtained from the web proxy logs, to identify malware that uses User-Agents discrepant with the ones actually used by the infected user. We are using statistical information about the usage of the User-Agent of each user together with the usage of particular User-Agent across the whole analyzed network and typically visited domains. Using those statistics we can identify anomalies, which we proved to be caused by malware-infected hosts in the network. Because of our simple and computationally inexpensive approach we can inspect data from extremely large networks with minimal computational costs.

查看原文本刊更多论文

使用HTTP用户代理差异识别进行恶意软件检测

采用网络行为分析(NBA)原理的僵尸网络检测系统在大规模网络中面临性能和隐私问题。正因为如此，许多研究人员专注于快速和简单的机器人检测方法，同时使用尽可能少的信息来避免侵犯隐私。其次，深度检查、逆向工程、聚类和其他耗时的方法在大规模网络中通常是不可行的。在本文中，我们提出了一种新技术，该技术使用包含在HTTP头中的User-Agent字段，可以很容易地从web代理日志中获得，以识别使用与受感染用户实际使用的用户-代理不同的恶意软件。我们使用关于每个用户user - agent使用情况的统计信息，以及整个分析网络和通常访问的域中特定user - agent的使用情况。使用这些统计数据，我们可以识别异常，我们证明是由网络中受恶意软件感染的主机引起的。由于我们简单且计算成本低廉的方法，我们可以用最小的计算成本检查来自极大网络的数据。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2014 IEEE International Workshop on Information Forensics and Security (WIFS)

自引率

0.00%

发文量