Web attacks have been on the rise for the last few years. Sophisticated botnets have been widely used to coordinate spam campaigns, launch denial-of-service attacks, or steal sensitive information. Increasingly, the bot activities are coordinated via sophisticated and stealthy command-and-control (C&C) channels designed to evade detection by traditional signature-based Intrusion Detection and Prevention Systems (IDS/IPS). C&C channels employ various stealth techniques, such as (i) the use of HTTP protocols to bypass firewalls, (ii) encryption to obscure payloads, (iii) “domain fast-flux” to constantly change locations of the command and control servers, etc., making them difficult to detect.
Recent approaches to identify Web attacks rely on analysis of the content of the downloaded files or the URLs used in the communication. Since they do not consider the network communication graph, they often fall short in identifying other malicious activities in the network. Further, existing IDS can only identify malicious clients associated with known malwares whose threat signatures are available. The main limitation is in identifying zero-day malwares for which the IDS do not have their corresponding signatures.