Behavioral classification and detection of malware through HTTP user agent anomalies

A high proportion of modern botnets uses the HTTP protocol to communicate with its command servers and to perform a wide range of malicious activities. Nonetheless, detection of HTTP botnets is still a real challenge. Botmasters currently implement multiple techniques to hide their activity within the large amount of network traffic. On the other hand, although malware HTTP headers include multiple anomalies, little are being accounted for during detection. This paper analyzes anomalies in the HTTP user agent header field within malware traffic. It presents a taxonomy of malware user agent anomalies and uses this taxonomy in order to propose an appropriate detection mechanism.We observe, within a large set of malware HTTP traffic, that almost one malware out of eight uses a suspicious user agent header in at least one HTTP request. User agent anomalies are still being manually analyzed, whereas thousands of new malware samples are collected daily. This paper shows that a deeper analysis of malware user agents can reveal valuable detection patterns. It uses these patterns to automatically classify user agent anomalies and to extract signatures for malware detection. Our experimental results show that this solution provides a new mechanism that detects yet unknown malware by the time of building the signatures, while also satisfying a very low false positives rate.