Characterizing Anomalies in Malware-Generated HTTP Traffic

<table class="table-group" id="tab18"><tr><td><table class="table"><tr><td class="thead-hr" colspan="1"><hr/></td></tr><tr class="thead"><td class="align_left">Name of the feature</td></tr><tr><td class="thead-hr" colspan="1"><hr/></td></tr><tr><td class="align_left">HTTP/1.0 version of protocol</td></tr><tr><td class="align_left">0–3 headers</td></tr><tr><td class="align_left">High entropy of the payload</td></tr><tr><td class="align_left">Lack of the <i>User-Agent</i> header</td></tr><tr><td class="align_left">Nonstandard value of the <i>User-Agent</i> header</td></tr><tr><td class="align_left">Non-ASCII characters in payload<svg height="10.1524pt" id="M15" style="vertical-align:-0.04990005pt" version="1.1" viewbox="-0.0498162 -10.1025 6.17869 10.1524" width="6.17869pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.0091,0,0,-0.0091,0,-5.741)"><path d="M486 158C486 177 478 202 466 220C413 228 386 236 336 262C386 288 413 297 466 304C478 323 486 347 485 366C470 376 444 381 422 380C389 338 368 319 321 288C323 345 329 372 349 422C339 442 322 461 305 470C289 461 271 442 262 422C281 372 287 345 290 288C243 319 222 338 189 380C167 381 142 376 125 366C125 347 133 322 145 304C198 296 225 288 275 262C225 236 198 227 145 220C133 201 125 177 126 158C141 148 167 143 189 144C222 186 243 205 290 236C288 179 282 152 262 102C272 82 289 63 306 54C322 63 340 82 350 102C330 152 324 179 321 236C368 205 390 186 422 144C444 143 470 148 486 158Z"></path></g></svg></td></tr><tr><td class="align_left">Presence of POST request without the <i>Referer</i> header</td></tr><tr><td class="align_left">Presence of GET request with payload<svg height="10.1524pt" id="M16" style="vertical-align:-0.04990005pt" version="1.1" viewbox="-0.0498162 -10.1025 6.17869 10.1524" width="6.17869pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.0091,0,0,-0.0091,0,-5.741)"><path d="M486 158C486 177 478 202 466 220C413 228 386 236 336 262C386 288 413 297 466 304C478 323 486 347 485 366C470 376 444 381 422 380C389 338 368 319 321 288C323 345 329 372 349 422C339 442 322 461 305 470C289 461 271 442 262 422C281 372 287 345 290 288C243 319 222 338 189 380C167 381 142 376 125 366C125 347 133 322 145 304C198 296 225 288 275 262C225 236 198 227 145 220C133 201 125 177 126 158C141 148 167 143 189 144C222 186 243 205 290 236C288 179 282 152 262 102C272 82 289 63 306 54C322 63 340 82 350 102C330 152 324 179 321 236C368 205 390 186 422 144C444 143 470 148 486 158Z"></path></g></svg></td></tr><tr><td class="align_left"><i>Host</i> header value other than domain<svg height="10.1524pt" id="M17" style="vertical-align:-0.04990005pt" version="1.1" viewbox="-0.0498162 -10.1025 6.17869 10.1524" width="6.17869pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.0091,0,0,-0.0091,0,-5.741)"><path d="M486 158C486 177 478 202 466 220C413 228 386 236 336 262C386 288 413 297 466 304C478 323 486 347 485 366C470 376 444 381 422 380C389 338 368 319 321 288C323 345 329 372 349 422C339 442 322 461 305 470C289 461 271 442 262 422C281 372 287 345 290 288C243 319 222 338 189 380C167 381 142 376 125 366C125 347 133 322 145 304C198 296 225 288 275 262C225 236 198 227 145 220C133 201 125 177 126 158C141 148 167 143 189 144C222 186 243 205 290 236C288 179 282 152 262 102C272 82 289 63 306 54C322 63 340 82 350 102C330 152 324 179 321 236C368 205 390 186 422 144C444 143 470 148 486 158Z"></path></g></svg></td></tr><tr><td class="align_left">Destination port other than 80</td></tr><tr><td class="align_left">Lack of any of <i>Accept</i>, <i>Accept-Encoding</i>, <i>Accept-Language</i>, <i>Referer</i>, <i>Connection</i> headers</td></tr><tr class="table-tr"><td colspan="1"><hr class="tbody-hr"/></td></tr></table></td></tr><tr class="table-fn"><td><div>Features marked with <svg height="10.1524pt" id="M18" style="vertical-align:-0.04990005pt" version="1.1" viewbox="-0.0498162 -10.1025 6.17869 10.1524" width="6.17869pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.0091,0,0,-0.0091,0,-5.741)"><path d="M486 158C486 177 478 202 466 220C413 228 386 236 336 262C386 288 413 297 466 304C478 323 486 347 485 366C470 376 444 381 422 380C389 338 368 319 321 288C323 345 329 372 349 422C339 442 322 461 305 470C289 461 271 442 262 422C281 372 287 345 290 288C243 319 222 338 189 380C167 381 142 376 125 366C125 347 133 322 145 304C198 296 225 288 275 262C225 236 198 227 145 220C133 201 125 177 126 158C141 148 167 143 189 144C222 186 243 205 290 236C288 179 282 152 262 102C272 82 289 63 306 54C322 63 340 82 350 102C330 152 324 179 321 236C368 205 390 186 422 144C444 143 470 148 486 158Z"></path></g></svg> (an asterisk) were proposed originally by the authors at the beginning of this paper.<br/></div></td></tr></table>

<div>Features indicating significant differences between malware and browser traffic.</div>

Security and Communication Networks

Characterizing Anomalies in Malware-Generated HTTP Traffic

Table 18