Adaptive Detection of Covert Communication in HTTP
The infection of computer systems with malicious software is an enduring problem of computer security. Avoiding an infection in the first place is a hard task, as computer systems are often vulnerable to a multitude of attacks. However, to explore and control an infected system, an attacker needs to establish a communication channel with the victim. While such a channel can be easily established to an unprotected end host in the Internet, infiltrating a closed network usually requires passing an application-level gateway - in most cases a web proxy - which constitutes an ideal spot for detecting and blocking unusual outbound communication. This papers introduces DUMONT, a system for detecting covert outbound HTTP communication passing through a web proxy.