The infection of data processing terminals by means of malware programs is intended to allow persons of malicious intent, or cybercriminals, to take control of terminals remotely and to extract sensitive data from them such as identifiers, passwords, banking data, etc. Such an infection may take place in several ways: downloading onto the terminal infected files via the Internet, opening email attachments, which in this case is referred to as “phishing”. The malware program may also be transmitted by means of a removable medium such as a “USB” (for Universal Serial Bus) stick. The infection may also be as a consequence of the exploitation by the creator of the malware program of a vulnerability of the terminal, for example a flaw in the browser, etc.
Once the terminal is infected by the malware program, it connects to one or more malicious servers situated on the Internet in order to receive commands and/or send information contained in the infected terminal. The majority of the malware programs use the protocol “http” (for “hypertext transfer protocol”) which constitutes the majority of the Internet traffic. The malware programs thus generate a malicious traffic which merges into a legitimate traffic and which is furthermore difficult to identify and to isolate.
The usual techniques for detection of a malicious traffic are essentially based on a search within a database of malicious “URL” (for “Uniform Resource Locator”) signatures, or black list of malicious URLs. These databases list malicious resources and servers known on the Internet. An attempt to connect from a terminal to one of the resources whose signature is present in the database indicates either the effective presence of a malware program on the terminal or an attempt to infect said terminal.
In order to overcome this type of attack, it is usual to establish a system for monitoring the network traffic which analyzes all of the traffic coming from the terminal in order to identify communications which may be associated with a malware program. Thus, when the terminal generates an http request sent over the Internet, the latter is intercepted by the monitoring system which analyzes the content of the request. If the URL does not appear on the black list, the traffic is not blocked and the software having generated the http request receives in response the requested resource. If the URL included in the request is referenced in the black list of the malicious URLs, the request is blocked and an error message is sent to the terminal. In this case, and in order to combat infections, a warning is raised and sent to a security administrator in order to apply remedial solutions as quickly as possible, such as a targeted anti-virus, a quarantining of the terminal, etc., before the malware program has had the time to do serious damage.
However, such a solution generates many false positives which are detrimental to the administration of the system. A false positive is defined by the generation of an infection alarm for a terminal even though the latter is not infected. Indeed, a large number of accesses to malicious URLs are not linked to the presence of a malware program in the terminal in question, but to redirections and automatic accesses using functionalities of the http protocol and exploited by the attackers to try to infect the terminals in question. For example, an innocent request emanating from a terminal may lead to the uploading onto a server of a page by the browser which may include links or redirections to malicious resources. The addition of these malicious resources may be made by the attacker, for example by exploiting a vulnerability of the web server contacted by the terminal, by hijacked use of advertisements, etc. For example, a user connects to the site “http://downloadmusic1.com/” and their browser connects in an automatic and transparent manner to the malicious server “http://1shot.ru/” subsequent to a redirection by the server contacted. Such an access is seen as indirect because it is subsequent to an access to a legitimate resource of the network, in this case “http://downloadmusic1.com/”. The monitoring system analyzes the two requests that emanate from the terminal and generates an alarm for the second request indicating that the terminal is infected. Thus, no distinction is made by the monitoring system between an infection attempt by indirect access and a true infection which involves a direct connection to a malicious site. A security administrator is then obliged to analyze each alarm in order to determine whether the terminal really is infected. This reduces the efficacy and the advantage of an automatic detection for infection of a terminal whenever the infection attempts also give rise to alarms of the same level of criticality as the alarms representative of real infections.