Detecting Malware-infected Hosts Using Templates of Multiple HTTP Requests

In this paper, we propose a method for detecting malware-infected hosts with a high rate of detection and a low rate of false positives without using any data on benign communication. Based on the fact that many malware-infected hosts generate multiple HTTP requests, we propose a method using the templates of sets of those HTTP requests. For each malware, this method generates a template that comprises the set of templates of the HTTP requests that the malware generates. We call the set of templates group template. It then detects malware-infected hosts by comparing the set of monitored HTTP requests with the group templates.

[1]  Takeshi Yagi,et al.  Controlling malware HTTP communications in dynamic analysis system using search engine , 2011, 2011 Third International Workshop on Cyberspace Safety and Security (CSS).

[2]  Mitsuaki Akiyama,et al.  BotProfiler: Detecting Malware-Infected Hosts by Profiling Variability of Malicious Infrastructure , 2016, IEICE Trans. Commun..