BotProfiler: Profiling variability of substrings in HTTP requests to detect malware-infected hosts

Daiki Chiba, Takeshi Yagi, Mitsuaki Akiyama, Kazufumi Aoki, Takeo Hariu, Shigeki Goto

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    9 Citations (Scopus)

    Abstract

    Malware is constantly evolving, which makes it difficult to prevent it from infecting hosts. Many countermeasures against malware infection, such as generating network-based signatures or templates, have been investigated. Such templates are designed to introduce regular expressions to detect polymorphic attacks conducted by attackers. A potential problem with such templates, however, is that they sometimes falsely regard benign communications as malicious, resulting in false positives, due to an inherent aspect of regular expressions. Since the cost of responding to malware infection is quite high, the number of false positives should be kept to a minimum. Therefore, we propose a system to generate templates that cause fewer false positives than a conventional system. We focused on the key idea that malicious infrastructures, such as command and control, tend to be reused instead of created from scratch. The results of implementing our system and validating it using real traffic data indicate that it reduced false positives by up to two-thirds compared to the conventional system and even increased the detection rate of infected hosts.

    Original languageEnglish
    Title of host publicationProceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015
    PublisherInstitute of Electrical and Electronics Engineers Inc.
    Pages758-765
    Number of pages8
    Volume1
    ISBN (Print)9781467379519
    DOIs
    Publication statusPublished - 2015 Dec 2
    Event14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015 - Helsinki, Finland
    Duration: 2015 Aug 202015 Aug 22

    Other

    Other14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015
    CountryFinland
    CityHelsinki
    Period15/8/2015/8/22

      Fingerprint

    Keywords

    • Command and control
    • Dynamic analysis
    • Malware
    • Template

    ASJC Scopus subject areas

    • Computer Networks and Communications

    Cite this

    Chiba, D., Yagi, T., Akiyama, M., Aoki, K., Hariu, T., & Goto, S. (2015). BotProfiler: Profiling variability of substrings in HTTP requests to detect malware-infected hosts. In Proceedings - 14th IEEE International Conference on Trust, Security and Privacy in Computing and Communications, TrustCom 2015 (Vol. 1, pp. 758-765). [7345352] Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/Trustcom.2015.444