A Method Based on Statistical Characteristics for Detection Malware Requests in Network Traffic

Network traffic inspection is an important method to discover the existence of malware when it bypasses security devices through polymorphic techniques or zero-day attacks. However, traditional network signature-based or IoC (Indicator of Compromise) detection could fail since the encryption and variability of threats has been increasing. It is well known that these methods are fragile and have difficulty dealing with new variants. This paper proposes a system designed to detect security threats based on the statistical characteristics of HTTP requests from malware. The corresponding method does not rely on signatures or the specific command and control (C&C) contents between bots and the botmaster and can be built given easily accessible information extracted from the HTTP data log, including HTTP headers and the URL. The results from millions of live traffic flows show correct detection with a precision exceeding 98.32% for malicious flows, and the recall reaches 98.70%. We believe this detector represents the main mechanism for discovering network threats in the future.