HAS-Analyzer: Detecting HTTP-based C&C based on the Analysis of HTTP Activity Sets


We focus on two distinctive features of HTTP-based C&C traffic by analyzing HTTP activity sets. First, C&Cs show a few connections at a time (low-density). Second, contents within a request or a response change frequently among consecutive C&Cs (content-change). Based on these two features, we propose a C&C analysis mechanism that detects unknown HTTP-based… (More)
DOI: 10.3837/tiis.2014.05.017


3 Figures and Tables