Abstract—In consequence of the growing cyber security threats, normal users and also system administrators are advised to closing inward ports and permitting outgoing communication only over selected protocols. In many decades, the flexibility and interoperability of HTTP make users progressively explore it in a much wider range of applications. Therefore, HTTP is always allowed on the network perimeter. HTTP-based applications could be classified into two types of Internet accesses: passive and active HTTP access applications. Passive type application (i.e. browsers) has just generated requests on users’ demands, so users can clarify and control what content they will access and accomplish. On the contrary, active type is called automatic software (auto-ware), which allows completely or partly automatically access to its servers without users’ intention. Auto-ware could be normal applications such as virus defining or operating system updating, but also are abnormal processes such as botnet, worms, virus, spywares, and advertising software (adware). Therefore, auto-ware, in a sense, consumes network bandwidth, and it might become internal security threats. Detection of suspicious auto-ware and its traffics are challenge work because the malicious traffic merges sufficiently with legitimate HTTP traffic. In this paper, based on the observation of communication pattern of HTTP auto-ware, it is proposed a detection method of HTTP-based Auto-ware. The experiment results show that the method is useful for host-based detection application.

Index Terms—HTTP-based malware, malware detection, network security management, periodic communication.

The authors are with the Department of Computer Science, National Defense Academy, Yokosuka 239-0811, Japan.

Cite:Manh Cong Tran, Yasuhiro Nakamura, "In-Host Communication Pattern Observed for Suspicious HTTP-Based Auto-Ware Detection," International Journal of Computer and Communication Engineering vol. 4, no. 6, pp. 379-389, 2015.