Characterizing Anomalies in Malware-Generated HTTP Traffic

<table class="table-group" id="tab4"><tr><td><table class="table"><tr><td class="thead-hr" colspan="1"><hr/></td></tr><tr class="thead"><td class="align_left">Feature name</td></tr><tr><td class="thead-hr" colspan="1"><hr/></td></tr><tr><td class="align_left">HTTP protocol version</td></tr><tr><td class="align_left">Request method</td></tr><tr><td class="align_left">Repetitions of the header (two header fields with the same name)<svg height="10.1524pt" id="M2" style="vertical-align:-0.04990005pt" version="1.1" viewbox="-0.0498162 -10.1025 6.17869 10.1524" width="6.17869pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.0091,0,0,-0.0091,0,-5.741)"><path d="M486 158C486 177 478 202 466 220C413 228 386 236 336 262C386 288 413 297 466 304C478 323 486 347 485 366C470 376 444 381 422 380C389 338 368 319 321 288C323 345 329 372 349 422C339 442 322 461 305 470C289 461 271 442 262 422C281 372 287 345 290 288C243 319 222 338 189 380C167 381 142 376 125 366C125 347 133 322 145 304C198 296 225 288 275 262C225 236 198 227 145 220C133 201 125 177 126 158C141 148 167 143 189 144C222 186 243 205 290 236C288 179 282 152 262 102C272 82 289 63 306 54C322 63 340 82 350 102C330 152 324 179 321 236C368 205 390 186 422 144C444 143 470 148 486 158Z"></path></g></svg></td></tr><tr><td class="align_left">Lack of colon in the header field<svg height="10.1524pt" id="M3" style="vertical-align:-0.04990005pt" version="1.1" viewbox="-0.0498162 -10.1025 6.17869 10.1524" width="6.17869pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.0091,0,0,-0.0091,0,-5.741)"><path d="M486 158C486 177 478 202 466 220C413 228 386 236 336 262C386 288 413 297 466 304C478 323 486 347 485 366C470 376 444 381 422 380C389 338 368 319 321 288C323 345 329 372 349 422C339 442 322 461 305 470C289 461 271 442 262 422C281 372 287 345 290 288C243 319 222 338 189 380C167 381 142 376 125 366C125 347 133 322 145 304C198 296 225 288 275 262C225 236 198 227 145 220C133 201 125 177 126 158C141 148 167 143 189 144C222 186 243 205 290 236C288 179 282 152 262 102C272 82 289 63 306 54C322 63 340 82 350 102C330 152 324 179 321 236C368 205 390 186 422 144C444 143 470 148 486 158Z"></path></g></svg></td></tr><tr><td class="align_left">Number of headers in the request</td></tr><tr><td class="align_left">Frequency of the headers’ occurrence</td></tr><tr><td class="align_left">Misspellings of the header names</td></tr><tr><td class="align_left">Presence of request pipelining<svg height="10.1524pt" id="M4" style="vertical-align:-0.04990005pt" version="1.1" viewbox="-0.0498162 -10.1025 6.17869 10.1524" width="6.17869pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.0091,0,0,-0.0091,0,-5.741)"><path d="M486 158C486 177 478 202 466 220C413 228 386 236 336 262C386 288 413 297 466 304C478 323 486 347 485 366C470 376 444 381 422 380C389 338 368 319 321 288C323 345 329 372 349 422C339 442 322 461 305 470C289 461 271 442 262 422C281 372 287 345 290 288C243 319 222 338 189 380C167 381 142 376 125 366C125 347 133 322 145 304C198 296 225 288 275 262C225 236 198 227 145 220C133 201 125 177 126 158C141 148 167 143 189 144C222 186 243 205 290 236C288 179 282 152 262 102C272 82 289 63 306 54C322 63 340 82 350 102C330 152 324 179 321 236C368 205 390 186 422 144C444 143 470 148 486 158Z"></path></g></svg></td></tr><tr><td class="align_left">TCP destination port in the request</td></tr><tr class="table-tr"><td colspan="1"><hr class="tbody-hr"/></td></tr></table></td></tr><tr class="table-fn"><td><div>Features proposed by the authors of this paper are marked with <svg height="10.1524pt" id="M5" style="vertical-align:-0.04990005pt" version="1.1" viewbox="-0.0498162 -10.1025 6.17869 10.1524" width="6.17869pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.0091,0,0,-0.0091,0,-5.741)"><path d="M486 158C486 177 478 202 466 220C413 228 386 236 336 262C386 288 413 297 466 304C478 323 486 347 485 366C470 376 444 381 422 380C389 338 368 319 321 288C323 345 329 372 349 422C339 442 322 461 305 470C289 461 271 442 262 422C281 372 287 345 290 288C243 319 222 338 189 380C167 381 142 376 125 366C125 347 133 322 145 304C198 296 225 288 275 262C225 236 198 227 145 220C133 201 125 177 126 158C141 148 167 143 189 144C222 186 243 205 290 236C288 179 282 152 262 102C272 82 289 63 306 54C322 63 340 82 350 102C330 152 324 179 321 236C368 205 390 186 422 144C444 143 470 148 486 158Z"></path></g></svg> (an asterisk).<br/></div></td></tr></table>

<div>List of HTTP requests’ structure features.</div>

Security and Communication Networks

tab4

Table 4

Table 4: Characterizing Anomalies in Malware-Generated HTTP Traffic 