Abstract
This paper analyzes User Agent (UA) anomalies within malware HTTP traffic and extracts signatures for malware detection. We observe, within a large set of malware HTTP traffic provided by a local AV company, that almost one malware out of eight uses a suspicious UA header in at least one HTTP request. Such anomalies include typos, information leakage, outdated versions, and attack vectors such as XSS and SQL injection. Nowadays UA anomalies are still manually analyzed, whereas thousands of new malware samples are collected daily. On the other hand, just blacklisting unusual UA strings is not viable because malware developers may use random values or encode variable patterns. This paper automatically classifies UA anomalies and extracts signatures for malware detection. Our approach is implemented on top of network-based detection systems. We extracted signatures from an overall set of 100 thousand malware samples, and we tested these signatures on real-world malware traffic. Experimental results show that our solution detects unknown malware by the time of extracting our signatures.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Symantec: Internet security threat report (istr) - 2011 trends (April 2012)
Falliere, N., Murchu, L.O., Chien, E.: W32.stuxnet dossier. Technical report, Symantec Response Team (2011)
sKyWIper Analysis Team: skywiper (a.k.a. flame a.k.a. flamer): A complex malware for targeted attacks. Technical report, Laboratory of Cryptography and System Security (CrySyS Lab) (May 2012)
Kane, P.O., Sezer, S., McLaughlin, K.: Obfuscation: The hidden malware. IEEE Security & Privacy 9, 41–47 (2011)
Dagon, D., Gu, G., Lee, C.P., Lee, W.: A taxonomy of botnet structures. In: Proceedings of the 23rd Annual Computer Security Applications Conference (2007)
Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A multifaceted approach to understanding the botnet phenomenon. In: Proceedings of the 6th ACM SIGCOMM Conference on Internet Measurement (2006)
Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., van Steen, M., Freiling, F.C., Pohlmann, N.: Sandnet: Network traffic analysis of malicious software. In: Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, Salzburg (2011)
Gu, G., Zhang, J., Lee, W.: Botsniffer: Detecting botnet command and control channels in network traffic. In: Proceedings of the 15th Annual Network and Distributed System Security Symposium (2008)
Gu, G., Porras, P., Yegneswaran, V., Fong, M., Lee, W.: Bothunter: Detecting malware infection through ids-driven dialog correlation. In: Proceedings of the 16th USENIX Security Symposium (2007)
Gu, G., Perdisci, R., Zhang, J., Lee, W.: Botminer: Clustering analysis of network traffic for protocol- and structure-independent botnet detection. In: Proceedings of the 17th USENIX Security Symposium (2008)
Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of http-based malware and signature generation using malicious network traces. In: USENIX Symposium on Networked Systems Design and Implementation (2010)
Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically Generating Models for Botnet Detection. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 232–249. Springer, Heidelberg (2009)
Perdisci, R., Dagon, D., Lee, W., Fogla, P., Sharif, M.: Misleading worm signature generators using deliberate noise injection. In: Proceedings of the IEEE Symposium on Security and Privacy (SSP) (2006)
abuse.ch: Kelihos back in town using fast flux. Malware & Virus Analysing (March 2012)
Arbor Networks: Anatomy of a botnet - how the arbor security engineering & response team discovers, analyzes and mitigates ddos attacks. White paper
Fielding, R., Irvine, U., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., Berners-Lee, T.: Hypertext transfer protocol. Request for Comments: 2616 (1999)
Manners, D.: The user agent field: Analyzing and detecting the abnormal or malicious in your organization. In: SANS Institute Reading Room Site (2012)
Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated Classification and Analysis of Internet Malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)
Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: Network and Distributed System System Security Symposium (2009)
Jacob, G., Hund, R., Kruegel, C., Holz, T.: Jackstraws: Picking command and control connections from bot traffic. In: 20th USENIX Security Symposium (2011)
Li, Z., Sanghi, M., Chen, Y., Yang Kao, M., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: IEEE Symposium on Security and Privacy (2006)
Yegneswaran, V., Giffin, J.T., Barford, P., Jha, S.: An architecture for generating semantic-aware signatures. In: USENIX Security Symposium (2005)
Newsome, J., Karp, B., Song, D.: Polygraph: Automatically generating signatures for polymorphic worms. In: IEEE Symposium on Security and Privacy (2005)
Spillmann, B., Neuhaus, M., Bunke, H., Pękalska, E.Z., Duin, R.P.W.: Transforming Strings to Vector Spaces Using Prototype Selection. In: Yeung, D.-Y., Kwok, J.T., Fred, A., Roli, F., de Ridder, D. (eds.) SSPR&SPR 2006. LNCS, vol. 4109, pp. 287–296. Springer, Heidelberg (2006)
Bieganski, P., Ned, J., Cadis, J.V.: Generalized suffix trees for biological sequence data: applications and implementation. In: Proceedings of the Twenty-Seventh Hawaii International Conference on System Sciences, vol. 5, pp. 35–44 (1994)
Brumley, D., Hartwig, C., Liang, Z., Newsome, J., Song, D., Yin, H.: Automatically identifying trigger-based behavior in malware. In: Botnet Detection. Springer (2008)
Microsoft: Forefront threat management gateway, http://www.microsoft.com/en-us/server-cloud/forefront/threat-management-gateway.aspx
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kheir, N. (2013). Analyzing HTTP User Agent Anomalies for Malware Detection. In: Di Pietro, R., Herranz, J., Damiani, E., State, R. (eds) Data Privacy Management and Autonomous Spontaneous Security. DPM SETOP 2012 2012. Lecture Notes in Computer Science, vol 7731. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35890-6_14
Download citation
DOI: https://doi.org/10.1007/978-3-642-35890-6_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35889-0
Online ISBN: 978-3-642-35890-6
eBook Packages: Computer ScienceComputer Science (R0)