Detecting Malicious Traffic in HTTP Headers

In the battle against malicious traffic and infected websites, security researchers are always looking for new avenues of detection. According to Trustwave Security Researcher Rodrigo Montoro, one such approach could come from an analysis of HTTP headers to detect potentially malicious traffic.

Speaking at the SecTOR security conference in Toronto, Montoro detailed his approach toward scoring HTTP headers to help identify infected websites. Montoro explained that a signature-based approach can’t scale properly, which is why he set out to find a new way forward.

Every time a Web browser connects to a website over HTTP, the HTTP transaction sends information about the connection in the header of the connection. HTTP header fields include things like the user-agent, content-type and cookie information.

“HTTP is everywhere and malware is using a lot of HTTP traffic,” Montoro said. “The idea is that scoring works and is a simpler way to detect malware.”

According to Montoro, malicious connections tend to do certain things wrong with HTTP. They reuse shared code and they often have uncommon user-agents, or no user agents at all. Malicious sites often have partial headers that are generally smaller in size than normal browser traffic. Additionally, the use of uncommon header types could be an indicator of malware infection.

How his HTTP scoring system works is that it assigns a numerical value to the list of suspect HTTP behaviors. The higher the score, the more likely that a site is infected with some kind of malware.

In some preliminary testing against known bad sites, Montoro analyzed 6,127 streams and the scoring system was able to accurately detect 89.1 percent of the sites that were delivering some form of malicious traffic.

Aside from missing just over 10 percent of the malware sites, the system also had a false-positive rate of approximately nine percent. Montoro noted that his goal moving forward is reduce the false-positive rate to less than two percent.

Currently, the HTTP header scoring system is a project that is not publicly available, though Montoro noted that he hopes to be able to release it as an open source project at some point in the future.

As to where and how the technology fits into the existing security landscape, it could fit into Web content filtering system or as part of a Web application firewall (WAF). Monotoro’s employer Trustwave is the lead commercial sponsor behind the open source mod_security WAF.

“This is just a beginning, and it’s not proof that it works” Monotoro said. “But, based on the initial results, we believe it will work.”

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.