Security and Communication Networks

Research Article

Characterizing Anomalies in Malware-Generated HTTP Traffic

Top 10 headers present in requests (malicious traffic) sorted by % of all categories where they appeared.


Category	Percentage of requests in category
Category	“Host”	“User-Agent”	“Connection”	“Accept”	“Accept-Encoding”	“Cache-Control”	“Content-Length”	“Content-Type”	“Accept-Language”	“Cookie”

Backdoor	100.00	100.00	45.45	45.45	27.27	54.55	45.45	54.55	27.27	9.09
Banker	100.00	73.60	75.20	13.60	1.60	77.60	60.80	19.20	4.80	4.80
Bruteforce	100.00	100.00	87.50	100.00	12.50	0.00	87.50	87.50	0.00	25.00
Clicker	100.00	100.00	30.77	7.69	7.69	46.15	61.54	46.15	0.00	0.00
DDoS	100.00	83.33	87.50	0.00	0.00	8.33	4.17	4.17	0.00	0.00
Downloader	100.00	90.30	75.37	55.22	32.84	44.03	36.57	30.60	20.15	0.75
Downloader/JS	100.00	83.33	100.00	83.33	83.33	0.00	0.00	0.00	8.33	0.00
IP check	100.00	67.86	75.00	32.14	28.57	14.29	0.00	0.00	28.57	7.14
Keylogger	100.00	66.67	0.00	0.00	0.00	16.67	66.67	66.67	0.00	0.00
Maldoc	100.00	100.00	81.25	81.25	81.25	6.25	0.00	0.00	25.00	0.00
Malicious download	100.00	75.00	80.00	60.00	40.00	35.00	10.00	10.00	5.00	0.00
Miner	100.00	77.78	50.00	11.11	27.78	0.00	38.89	38.89	0.00	0.00
Other	100.00	75.00	62.50	12.50	12.50	12.50	12.50	25.00	12.50	12.50
PUA/Adware	100.00	80.00	66.67	23.33	13.33	43.33	40.00	33.33	0.00	3.33
Ransomware	100.00	80.00	71.76	62.35	47.06	70.59	77.65	71.76	42.35	1.18
RAT	100.00	88.89	55.56	22.22	22.22	33.33	44.44	44.44	0.00	11.11
Spambot	100.00	70.00	45.00	5.00	5.00	40.00	75.00	35.00	5.00	0.00
Stealer	100.00	57.78	86.67	35.56	13.33	11.11	66.67	68.89	26.67	0.00
Trojan	100.00	90.60	74.36	47.86	12.82	53.85	52.14	35.90	9.40	2.56
UA problem	96.15	92.31	80.77	11.54	15.38	19.23	11.54	11.54	0.00	7.69

Note. The header was present in all requests of a particular request group in the malware category.