An Approach to Mine Suspicious Domain Based on HTTP Automated Software Communication Behavior

HTTP-based automated software (auto-ware) are blooming in utilizing in reaching Internet users. Unfortunately, beside normal auto-ware such as for software updating purpose, auto-ware can be also abnormal processes acting as fraudulent advertising software, virus, spyware, and malicious bots. Malicious HTTP auto-ware will generate requests/access in communication with its server to mimic normal behavior and bypass firewall or IDS which almost allow HTTP-based data exchange. Because of that, in a private network perimeter, identifying which clients having suspicious HTTP action/auto-ware is really a big challenge. In this paper, by observing and analysis the HTTP communication behavior of malicious auto-ware, Access Variation Graph of domain/server is proposed to distinguish between normal and malicious domains/servers. Based on that, a network-based method proposal in mining suspicious domain is presented. From these results, network administrators are able to find out which clients having suspicious access/auto-ware.