Error-Sensor: Mining Information from HTTP Error Traffic for Malware Intelligence Conference Paper

abstract

• Springer Nature Switzerland AG 2018. Malware often encounters network failures when it launches malicious activities, such as connecting to compromised servers that have been already taken down, connecting to malicious servers that are blocked based on access control policies in enterprise networks, or scanning/exploiting vulnerable web pages. To overcome such failures and improve the resilience in light of such failures, malware authors have employed various strategies, e.g., connecting to multiple backup servers or connecting to benign servers for initial network connectivity checks. These network failures and recovery strategies lead to distinguishing traits, which are newly discovered and thoroughly studied in this paper. We note that network failures caused by malware are quite different from the failures caused by benign users/software in terms of their failure patterns and recovery behavior patterns. In this paper, we present the results of the first large-scale measurement study investigating the different network behaviors of both benign user/software and malware in light of HTTP errors. By inspecting over 1 million HTTP logs generated by over 16,000 clients, we identify strong indicators of malicious activities derived from error provenance patterns, error generation patterns, and error recovery patterns. Based on the insights, we design a new system, Error-Sensor, to automatically detect traffic caused by malware from only HTTP errors and their surrounding successful requests. We evaluate Error-Sensor on a large scale of real-world web traces collected in an enterprise network. Error-Sensor achieves a detection rate of 99.79% at a false positive rate of 0.005% to identify HTTP errors generated by malware, and further, spots surreptitious malicious traffic (e.g., malware backup behavior) that was not caught by existing deployed intrusion detection systems.

authors

• Gu, Guofei

published proceedings

• RESEARCH IN ATTACKS, INTRUSIONS, AND DEFENSES, RAID 2018

author list (cited authors)

• Zhang, J., Jang, J., Gu, G., Stoecklin, M. P., & Hu, X.

citation count

• 4

complete list of authors

• Zhang, Jialong||Jang, Jiyong||Gu, Guofei||Stoecklin, Marc Ph||Hu, Xin

publication date

• January 2018

publisher

• Springer Nature  Publisher

published in

• Lecture Notes in Artificial Intelligence  Journal

keywords

• 46 Information And Computing Sciences
• 4604 Cybersecurity And Privacy
• 4605 Data Management And Data Science
• 4606 Distributed Computing And Systems Software

Digital Object Identifier (DOI)

• 10.1007/978-3-030-00470-5_22

International Standard Book Number (ISBN) 13

• 978-3-030-00469-9

start page

• 467

end page

• 489

volume

• 11050

URL

• http://dx.doi.org/10.1007/978-3-030-00470-5_22