Adaptive Detection of Covert Communication in HTTP Requests

The infection of computer systems with malicious software is an enduring problem of computer security. Avoiding an infection in the first place is a hard task, as computer systems are often vulnerable to a multitude of attacks. However, to explore and control an infected system, an attacker needs to establish a communication channel with the victim. While such a channel can be easily established to an unprotected end host in the Internet, infiltrating a closed network usually requires passing an application-level gateway -- in most cases a web proxy -- which constitutes an ideal spot for detecting and blocking unusual outbound communication. This papers introduces DUMONT, a system for detecting covert outbound HTTP communication passing through a web proxy. DUMONT learns profiles of normal HTTP requests for each user of the proxy and adapts to individual web surfing characteristics. The profiles are inferred from a diverse set of features, covering the structure and content of outbound data, and allowing for automatically identifying tunnels and covert channels as deviations from normality. While this approach does not generally rule out sophisticated covert communication, it significantly improves on state-of-the-art methods and hardens networks against malware proliferation. This capability is demonstrated in an evaluation with 90 days of web traffic, where DUMONT uncovers the communication of malware, tunnels and backdoors with few false alarms.