Characterizing Anomalies in Malware-Generated HTTP Traffic

<table class="table-group" id="tab5"><tr><td><table class="table"><tr><td class="thead-hr" colspan="1"><hr/></td></tr><tr class="thead"><td class="align_left">Feature name</td></tr><tr><td class="thead-hr" colspan="1"><hr/></td></tr><tr><td class="align_left">First character of the header field is a whitespace</td></tr><tr><td class="align_left">Whitespace before CRLF tag</td></tr><tr><td class="align_left">Space before colon, semicolon, or comma</td></tr><tr><td class="align_left">New line character other than CRLF<svg height="10.1524pt" id="M6" style="vertical-align:-0.04990005pt" version="1.1" viewbox="-0.0498162 -10.1025 6.17869 10.1524" width="6.17869pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.0091,0,0,-0.0091,0,-5.741)"><path d="M486 158C486 177 478 202 466 220C413 228 386 236 336 262C386 288 413 297 466 304C478 323 486 347 485 366C470 376 444 381 422 380C389 338 368 319 321 288C323 345 329 372 349 422C339 442 322 461 305 470C289 461 271 442 262 422C281 372 287 345 290 288C243 319 222 338 189 380C167 381 142 376 125 366C125 347 133 322 145 304C198 296 225 288 275 262C225 236 198 227 145 220C133 201 125 177 126 158C141 148 167 143 189 144C222 186 243 205 290 236C288 179 282 152 262 102C272 82 289 63 306 54C322 63 340 82 350 102C330 152 324 179 321 236C368 205 390 186 422 144C444 143 470 148 486 158Z"></path></g></svg></td></tr><tr><td class="align_left">Double space</td></tr><tr><td class="align_left">Nonstandard whitespace characters in the header field<svg height="10.1524pt" id="M7" style="vertical-align:-0.04990005pt" version="1.1" viewbox="-0.0498162 -10.1025 6.17869 10.1524" width="6.17869pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.0091,0,0,-0.0091,0,-5.741)"><path d="M486 158C486 177 478 202 466 220C413 228 386 236 336 262C386 288 413 297 466 304C478 323 486 347 485 366C470 376 444 381 422 380C389 338 368 319 321 288C323 345 329 372 349 422C339 442 322 461 305 470C289 461 271 442 262 422C281 372 287 345 290 288C243 319 222 338 189 380C167 381 142 376 125 366C125 347 133 322 145 304C198 296 225 288 275 262C225 236 198 227 145 220C133 201 125 177 126 158C141 148 167 143 189 144C222 186 243 205 290 236C288 179 282 152 262 102C272 82 289 63 306 54C322 63 340 82 350 102C330 152 324 179 321 236C368 205 390 186 422 144C444 143 470 148 486 158Z"></path></g></svg></td></tr><tr><td class="align_left">Non-ASCII value in the header<svg height="10.1524pt" id="M8" style="vertical-align:-0.04990005pt" version="1.1" viewbox="-0.0498162 -10.1025 6.17869 10.1524" width="6.17869pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.0091,0,0,-0.0091,0,-5.741)"><path d="M486 158C486 177 478 202 466 220C413 228 386 236 336 262C386 288 413 297 466 304C478 323 486 347 485 366C470 376 444 381 422 380C389 338 368 319 321 288C323 345 329 372 349 422C339 442 322 461 305 470C289 461 271 442 262 422C281 372 287 345 290 288C243 319 222 338 189 380C167 381 142 376 125 366C125 347 133 322 145 304C198 296 225 288 275 262C225 236 198 227 145 220C133 201 125 177 126 158C141 148 167 143 189 144C222 186 243 205 290 236C288 179 282 152 262 102C272 82 289 63 306 54C322 63 340 82 350 102C330 152 324 179 321 236C368 205 390 186 422 144C444 143 470 148 486 158Z"></path></g></svg></td></tr><tr><td class="align_left"><i>Accept-Language</i> header value</td></tr><tr><td class="align_left"><i>Accept-Encoding</i> header value</td></tr><tr><td class="align_left"><i>Connection</i> header value</td></tr><tr><td class="align_left"><i>Host</i> header value<svg height="10.1524pt" id="M9" style="vertical-align:-0.04990005pt" version="1.1" viewbox="-0.0498162 -10.1025 6.17869 10.1524" width="6.17869pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.0091,0,0,-0.0091,0,-5.741)"><path d="M486 158C486 177 478 202 466 220C413 228 386 236 336 262C386 288 413 297 466 304C478 323 486 347 485 366C470 376 444 381 422 380C389 338 368 319 321 288C323 345 329 372 349 422C339 442 322 461 305 470C289 461 271 442 262 422C281 372 287 345 290 288C243 319 222 338 189 380C167 381 142 376 125 366C125 347 133 322 145 304C198 296 225 288 275 262C225 236 198 227 145 220C133 201 125 177 126 158C141 148 167 143 189 144C222 186 243 205 290 236C288 179 282 152 262 102C272 82 289 63 306 54C322 63 340 82 350 102C330 152 324 179 321 236C368 205 390 186 422 144C444 143 470 148 486 158Z"></path></g></svg></td></tr><tr><td class="align_left"><i>User-Agent</i> header value</td></tr><tr class="table-tr"><td colspan="1"><hr class="tbody-hr"/></td></tr></table></td></tr><tr class="table-fn"><td><div>Features proposed by the authors of this paper are marked with <svg height="10.1524pt" id="M10" style="vertical-align:-0.04990005pt" version="1.1" viewbox="-0.0498162 -10.1025 6.17869 10.1524" width="6.17869pt" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g transform="matrix(.0091,0,0,-0.0091,0,-5.741)"><path d="M486 158C486 177 478 202 466 220C413 228 386 236 336 262C386 288 413 297 466 304C478 323 486 347 485 366C470 376 444 381 422 380C389 338 368 319 321 288C323 345 329 372 349 422C339 442 322 461 305 470C289 461 271 442 262 422C281 372 287 345 290 288C243 319 222 338 189 380C167 381 142 376 125 366C125 347 133 322 145 304C198 296 225 288 275 262C225 236 198 227 145 220C133 201 125 177 126 158C141 148 167 143 189 144C222 186 243 205 290 236C288 179 282 152 262 102C272 82 289 63 306 54C322 63 340 82 350 102C330 152 324 179 321 236C368 205 390 186 422 144C444 143 470 148 486 158Z"></path></g></svg> (an asterisk).<br/></div></td></tr></table>

<div>List of header field value features.</div>

Security and Communication Networks

tab5

Table 5

Table 5: Characterizing Anomalies in Malware-Generated HTTP Traffic 