Detecting and mitigating malware by evaluating HTTP errors

Assignee

• International Business Machines Corporation · US

Inventors

• Jialong Zhang · White Plains, US
• Jiyong Jang · Ossining, US
• Marc Philippe Stoecklin · Bern, CH

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/1425
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

Malware is detected and mitigated by differentiating HTTP error generation patterns between errors generated by malware, and errors generated by benign users/software. In one embodiment, a malware detector system receives traffic that includes HTTP errors and successful HTTP requests. Error traffic and the successful request traffic are segmented for further analysis. The error traffic is supplied to a clustering component, which groups the errors, e.g., based on their URI pages and parameters. During clustering, various statistical features are extracted (as feature vectors) from one or more perspectives, namely, error provenance, error generation, and error recovery. The feature vectors are supplied to a classifier component, which is trained to distinguish malware-generated errors from benign errors. Once trained, the classifier takes an error cluster and its surrounding successful HTTP requests as inputs, and it produces a verdict on whether a particular cluster is malicious. The classifier output then drives an automated mitigation operation.