BotProfiler: Profiling variability of substrings in HTTP requests to detect malware-infected hosts

Daiki Chiba; Takeshi Yagi; Mitsuaki Akiyama; Kazufumi Aoki; Takeo Hariu; Shigeki Goto

doi:10.1109/Trustcom.2015.444

BotProfiler: Profiling variability of substrings in HTTP requests to detect malware-infected hosts

Daiki Chiba, Takeshi Yagi, Mitsuaki Akiyama, Kazufumi Aoki, Takeo Hariu, Shigeki Goto

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

10 Citations (Scopus)

Abstract

Malware is constantly evolving, which makes it difficult to prevent it from infecting hosts. Many countermeasures against malware infection, such as generating network-based signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system. We focused on the key idea that malicious infrastructures, such as command and control, tend to be reused instead of created from scratch. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.

Original language	English
Title of host publication	Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	758-765
Number of pages	8
Volume	1
ISBN (Print)	9781467379519
DOIs	https://doi.org/10.1109/Trustcom.2015.444
Publication status	Published - 2015 Dec 2
Event	14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015 - Helsinki, Finland Duration: 2015 Aug 20 → 2015 Aug 22

Other

Other	14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015
Country/Territory	Finland
City	Helsinki
Period	15/8/20 → 15/8/22

Keywords

Command and control
Dynamic analysis
Malware
Template

ASJC Scopus subject areas

Computer Networks and Communications

Access to Document

10.1109/Trustcom.2015.444

Cite this

Chiba, D., Yagi, T., Akiyama, M., Aoki, K., Hariu, T., & Goto, S. (2015). BotProfiler: Profiling variability of substrings in HTTP requests to detect malware-infected hosts. In Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015 (Vol. 1, pp. 758-765). [7345352] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/Trustcom.2015.444

BotProfiler : Profiling variability of substrings in HTTP requests to detect malware-infected hosts. / Chiba, Daiki; Yagi, Takeshi; Akiyama, Mitsuaki et al.

Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015. Vol. 1 Institute of Electrical and Electronics Engineers Inc., 2015. p. 758-765 7345352.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Chiba, D, Yagi, T, Akiyama, M, Aoki, K, Hariu, T & Goto, S 2015, BotProfiler: Profiling variability of substrings in HTTP requests to detect malware-infected hosts. in Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015. vol. 1, 7345352, Institute of Electrical and Electronics Engineers Inc., pp. 758-765, 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015, Helsinki, Finland, 15/8/20. https://doi.org/10.1109/Trustcom.2015.444

Chiba D, Yagi T, Akiyama M, Aoki K, Hariu T, Goto S. BotProfiler: Profiling variability of substrings in HTTP requests to detect malware-infected hosts. In Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015. Vol. 1. Institute of Electrical and Electronics Engineers Inc. 2015. p. 758-765. 7345352 doi: 10.1109/Trustcom.2015.444

@inproceedings{86cf9e66a4a9450391a79c4237172daa,

title = "BotProfiler: Profiling variability of substrings in HTTP requests to detect malware-infected hosts",

abstract = "Malware is constantly evolving, which makes it difficult to prevent it from infecting hosts. Many countermeasures against malware infection, such as generating network-based signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system. We focused on the key idea that malicious infrastructures, such as command and control, tend to be reused instead of created from scratch. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.",

keywords = "Command and control, Dynamic analysis, Malware, Template",

author = "Daiki Chiba and Takeshi Yagi and Mitsuaki Akiyama and Kazufumi Aoki and Takeo Hariu and Shigeki Goto",

year = "2015",

month = dec,

day = "2",

doi = "10.1109/Trustcom.2015.444",

language = "English",

isbn = "9781467379519",

volume = "1",

pages = "758--765",

booktitle = "Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

note = "14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015 ; Conference date: 20-08-2015 Through 22-08-2015",

}

TY - GEN

T1 - BotProfiler

T2 - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015

AU - Chiba, Daiki

AU - Yagi, Takeshi

AU - Akiyama, Mitsuaki

AU - Aoki, Kazufumi

AU - Hariu, Takeo

AU - Goto, Shigeki

PY - 2015/12/2

Y1 - 2015/12/2

N2 - Malware is constantly evolving, which makes it difficult to prevent it from infecting hosts. Many countermeasures against malware infection, such as generating network-based signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system. We focused on the key idea that malicious infrastructures, such as command and control, tend to be reused instead of created from scratch. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.

AB - Malware is constantly evolving, which makes it difficult to prevent it from infecting hosts. Many countermeasures against malware infection, such as generating network-based signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system. We focused on the key idea that malicious infrastructures, such as command and control, tend to be reused instead of created from scratch. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.

KW - Command and control

KW - Dynamic analysis

KW - Malware

KW - Template

UR - http://www.scopus.com/inward/record.url?scp=84966762531&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84966762531&partnerID=8YFLogxK

U2 - 10.1109/Trustcom.2015.444

DO - 10.1109/Trustcom.2015.444

M3 - Conference contribution

AN - SCOPUS:84966762531

SN - 9781467379519

VL - 1

SP - 758

EP - 765

BT - Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 20 August 2015 through 22 August 2015

ER -

BotProfiler: Profiling variability of substrings in HTTP requests to detect malware-infected hosts

Abstract

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this