Research Article
Characterizing Anomalies in Malware-Generated HTTP Traffic
Table 18
Features indicating significant differences between malware and browser traffic.
| Name of the feature |
| HTTP/1.0 version of protocol | 0–3 headers | High entropy of the payload | Lack of the User-Agent header | Nonstandard value of the User-Agent header | Non-ASCII characters in payload | Presence of POST request without the Referer header | Presence of GET request with payload | Host header value other than domain | Destination port other than 80 | Lack of any of Accept, Accept-Encoding, Accept-Language, Referer, Connection headers |
|
|
Features marked with (an asterisk) were proposed originally by the authors at the beginning of this paper. |