Research Article
Characterizing Anomalies in Malware-Generated HTTP Traffic
Table 12
Top 10 headers present in requests (malicious traffic) sorted by % of all categories where they appeared.
| Category | Percentage of requests in category | “Host” | “User-Agent” | “Connection” | “Accept” | “Accept-Encoding” | “Cache-Control” | “Content-Length” | “Content-Type” | “Accept-Language” | “Cookie” |
| Backdoor | 100.00 | 100.00 | 45.45 | 45.45 | 27.27 | 54.55 | 45.45 | 54.55 | 27.27 | 9.09 | Banker | 100.00 | 73.60 | 75.20 | 13.60 | 1.60 | 77.60 | 60.80 | 19.20 | 4.80 | 4.80 | Bruteforce | 100.00 | 100.00 | 87.50 | 100.00 | 12.50 | 0.00 | 87.50 | 87.50 | 0.00 | 25.00 | Clicker | 100.00 | 100.00 | 30.77 | 7.69 | 7.69 | 46.15 | 61.54 | 46.15 | 0.00 | 0.00 | DDoS | 100.00 | 83.33 | 87.50 | 0.00 | 0.00 | 8.33 | 4.17 | 4.17 | 0.00 | 0.00 | Downloader | 100.00 | 90.30 | 75.37 | 55.22 | 32.84 | 44.03 | 36.57 | 30.60 | 20.15 | 0.75 | Downloader/JS | 100.00 | 83.33 | 100.00 | 83.33 | 83.33 | 0.00 | 0.00 | 0.00 | 8.33 | 0.00 | IP check | 100.00 | 67.86 | 75.00 | 32.14 | 28.57 | 14.29 | 0.00 | 0.00 | 28.57 | 7.14 | Keylogger | 100.00 | 66.67 | 0.00 | 0.00 | 0.00 | 16.67 | 66.67 | 66.67 | 0.00 | 0.00 | Maldoc | 100.00 | 100.00 | 81.25 | 81.25 | 81.25 | 6.25 | 0.00 | 0.00 | 25.00 | 0.00 | Malicious download | 100.00 | 75.00 | 80.00 | 60.00 | 40.00 | 35.00 | 10.00 | 10.00 | 5.00 | 0.00 | Miner | 100.00 | 77.78 | 50.00 | 11.11 | 27.78 | 0.00 | 38.89 | 38.89 | 0.00 | 0.00 | Other | 100.00 | 75.00 | 62.50 | 12.50 | 12.50 | 12.50 | 12.50 | 25.00 | 12.50 | 12.50 | PUA/Adware | 100.00 | 80.00 | 66.67 | 23.33 | 13.33 | 43.33 | 40.00 | 33.33 | 0.00 | 3.33 | Ransomware | 100.00 | 80.00 | 71.76 | 62.35 | 47.06 | 70.59 | 77.65 | 71.76 | 42.35 | 1.18 | RAT | 100.00 | 88.89 | 55.56 | 22.22 | 22.22 | 33.33 | 44.44 | 44.44 | 0.00 | 11.11 | Spambot | 100.00 | 70.00 | 45.00 | 5.00 | 5.00 | 40.00 | 75.00 | 35.00 | 5.00 | 0.00 | Stealer | 100.00 | 57.78 | 86.67 | 35.56 | 13.33 | 11.11 | 66.67 | 68.89 | 26.67 | 0.00 | Trojan | 100.00 | 90.60 | 74.36 | 47.86 | 12.82 | 53.85 | 52.14 | 35.90 | 9.40 | 2.56 | UA problem | 96.15 | 92.31 | 80.77 | 11.54 | 15.38 | 19.23 | 11.54 | 11.54 | 0.00 | 7.69 |
|
|
Note. The header was present in all requests of a particular request group in the malware category.
|