Automatic NIDS Rule Generating System for Detecting HTTP-like Malware Communication

HTTP is the main protocol of the Internet and many network applications rely on it. Malware also utilizes it as a covert channel through which to evade the firewall (FW) or network intrusion detection system (NIDS). We recognize a malware, which employs HTTP to communicate as the HTTP-like Botnet. Some parts of the network traffic of an HTTP-like Botnet are different from normal HTTP applications. Based on the differences between HTTP-like Botnet traffic and normal HTTP applications, we developed an Automatic NIDS Rule Generating System (ARGS). The ARGS is a proof of concept (POC), which generates the corresponding NIDS rules efficiently and precisely from the input malign traffic (MT). ARGS is an incremental method to generate and optimize the rules. It can generate rules quickly and precisely without first requiring the collection of many malware samples for clustering. For practical purposes, we adopt Snort as our IDS engine in ARGS. In our experiments, the time required by ARGS to process MTs and generate corresponding rules is significantly shorter than existing solution when the rule-optimization is not required. Besides, the generated rule set can detect more 30% malware traffic compared to SourceFire IDS full-set and thus can efficiently stop the spreading of malware in time.