Analysis and detection of malicious data exfiltration in web traffic

Data stealing botnets pose a great risk to the security of networks and the privacy of their users. Most of these botnets use the web as a medium for communication, making them difficult to detect given that web traffic constitutes about 70% of Internet traffic. In addition, they use obfuscation techniques, primarily encryption, to hide their communications and data exfiltration attempts making current botnet detection techniques that depend on content inspection ineffective. In this paper, we present an analysis of the data stealing behaviors of one of the most notorious data stealing botnets, Zeus. In addition, we propose a classification algorithm to identify malicious data stealing attempts within web traffic. Our classifier uses entropy and byte frequency distribution of HTTP POST request contents as features. Our evaluation of the classifier shows high accuracy and high efficiency making it applicable at network perimeter monitoring devices and web proxies.