TY - JOUR
T1 - Detecting malicious activities with user-agent-based profiles
AU - Zhang, Yang
AU - Mekky, Hesham
AU - Zhang, Zhi Li
AU - Torres, Ruben
AU - Lee, Sung Ju
AU - Tongaonkar, Alok
AU - Mellia, Marco
N1 - Publisher Copyright:
Copyright © 2015 John Wiley & Sons, Ltd.
PY - 2015/9/1
Y1 - 2015/9/1
N2 - Hypertext transfer protocol (HTTP) has become the main protocol to carry out malicious activities. Attackers typically use HTTP for communication with command-and-control servers, click fraud, phishing and other malicious activities, as they can easily hide among the large amount of benign HTTP traffic. The user-agent (UA) field in the HTTP header carries information on the application, operating system (OS), device, and so on, and adversaries fake UA strings as a way to evade detection. Motivated by this, we propose a novel grammar-guided UA string classification method in HTTP flows. We leverage the fact that a number of 'standard' applications, such as web browsers and iOS mobile apps, have well-defined syntaxes that can be specified using context-free grammars, and we extract OS, device and other relevant information from them. We develop association heuristics to classify UA strings that are generated by 'non-standard' applications that do not contain OS or device information. We provide a proof-of-concept system that demonstrates how our approach can be used to identify malicious applications that generate fake UA strings to engage in fraudulent activities.
AB - Hypertext transfer protocol (HTTP) has become the main protocol to carry out malicious activities. Attackers typically use HTTP for communication with command-and-control servers, click fraud, phishing and other malicious activities, as they can easily hide among the large amount of benign HTTP traffic. The user-agent (UA) field in the HTTP header carries information on the application, operating system (OS), device, and so on, and adversaries fake UA strings as a way to evade detection. Motivated by this, we propose a novel grammar-guided UA string classification method in HTTP flows. We leverage the fact that a number of 'standard' applications, such as web browsers and iOS mobile apps, have well-defined syntaxes that can be specified using context-free grammars, and we extract OS, device and other relevant information from them. We develop association heuristics to classify UA strings that are generated by 'non-standard' applications that do not contain OS or device information. We provide a proof-of-concept system that demonstrates how our approach can be used to identify malicious applications that generate fake UA strings to engage in fraudulent activities.
UR - http://www.scopus.com/inward/record.url?scp=84941176313&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84941176313&partnerID=8YFLogxK
U2 - 10.1002/nem.1900
DO - 10.1002/nem.1900
M3 - Article
AN - SCOPUS:84941176313
SN - 1055-7148
VL - 25
SP - 306
EP - 319
JO - International Journal of Network Management
JF - International Journal of Network Management
IS - 5
ER -