{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,1]],"date-time":"2025-11-01T13:54:56Z","timestamp":1762005296150,"version":"3.40.5"},"reference-count":31,"publisher":"Wiley","license":[{"start":{"date-parts":[[2021,4,7]],"date-time":"2021-04-07T00:00:00Z","timestamp":1617753600000},"content-version":"unspecified","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"National Key Research and Development Program of China","award":["2016QY13Z2302","61902262","JG2019055","SJ2020A08","PY20210160"],"award-info":[{"award-number":["2016QY13Z2302","61902262","JG2019055","SJ2020A08","PY20210160"]}]},{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["2016QY13Z2302","61902262","JG2019055","SJ2020A08","PY20210160"],"award-info":[{"award-number":["2016QY13Z2302","61902262","JG2019055","SJ2020A08","PY20210160"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"National Defense Innovation Special Zone Program of Science and Technology","award":["2016QY13Z2302","61902262","JG2019055","SJ2020A08","PY20210160"],"award-info":[{"award-number":["2016QY13Z2302","61902262","JG2019055","SJ2020A08","PY20210160"]}]},{"name":"Director of Computer Application Research Institute Foundation","award":["2016QY13Z2302","61902262","JG2019055","SJ2020A08","PY20210160"],"award-info":[{"award-number":["2016QY13Z2302","61902262","JG2019055","SJ2020A08","PY20210160"]}]},{"DOI":"10.13039\/501100002851","name":"China Academy of Engineering Physics","doi-asserted-by":"publisher","award":["2016QY13Z2302","61902262","JG2019055","SJ2020A08","PY20210160"],"award-info":[{"award-number":["2016QY13Z2302","61902262","JG2019055","SJ2020A08","PY20210160"]}],"id":[{"id":"10.13039\/501100002851","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Security and Communication Networks"],"published-print":{"date-parts":[[2021,4,7]]},"abstract":"<jats:p>APT malware exploits HTTP to establish communication with a C &amp; C server to hide their malicious activities. Thus, HTTP-based APT malware infection can be discovered by analyzing HTTP traffic. Recent methods have been dependent on the extraction of statistical features from HTTP traffic, which is suitable for machine learning. However, the features they extract from the limited HTTP-based APT malware traffic dataset are too simple to detect APT malware with strong randomness insufficiently. In this paper, we propose an innovative approach which could uncover APT malware traffic related to data exfiltration and other suspect APT activities by analyzing the header fields of HTTP traffic. We use the Referer field in the HTTP header to construct a web request graph. Then, we optimize the web request graph by combining URL similarity and redirect reconstruction. We also use a normal uncorrelated request filter to filter the remaining unrelated legitimate requests. We have evaluated the proposed method using 1.48\u2009GB normal HTTP flow from clickminer and 280\u2009MB APT malware HTTP flow from Stratosphere Lab, Contagiodump, and pcapanalysis. The experimental results have shown that the URL-correlation-based APT malware traffic detection method can correctly detect 96.08% APT malware traffic, and its recall rate is 98.87%. We have also conducted experiments to compare our approach against Jiang\u2019s method, MalHunter, and BotDet, and the experimental results have confirmed that our detection approach has a better performance, the accuracy of which reached 96.08% and the F1 value increased by more than 5%.<\/jats:p>","DOI":"10.1155\/2021\/6653386","type":"journal-article","created":{"date-parts":[[2021,4,7]],"date-time":"2021-04-07T18:20:30Z","timestamp":1617819630000},"page":"1-12","source":"Crossref","is-referenced-by-count":5,"title":["HTTP-Based APT Malware Infection Detection Using URL Correlation Analysis"],"prefix":"10.1155","volume":"2021","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3235-3463","authenticated-orcid":true,"given":"Wei-Na","family":"Niu","sequence":"first","affiliation":[{"name":"School of Computer Science and Engineering, Institute for Cyber Security, University of Electronic Science and Technology of China (UESTC), Chengdu 611731, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2857-3823","authenticated-orcid":true,"given":"Jiao","family":"Xie","sequence":"additional","affiliation":[{"name":"School of Computer Science and Engineering, Institute for Cyber Security, University of Electronic Science and Technology of China (UESTC), Chengdu 611731, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9886-1412","authenticated-orcid":true,"given":"Xiao-Song","family":"Zhang","sequence":"additional","affiliation":[{"name":"School of Computer Science and Engineering, Institute for Cyber Security, University of Electronic Science and Technology of China (UESTC), Chengdu 611731, China"},{"name":"Cyberspace Security Research Center, Peng Cheng Laboratory, Shenzhen 518040, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6462-1522","authenticated-orcid":true,"given":"Chong","family":"Wang","sequence":"additional","affiliation":[{"name":"School of Computer Science and Engineering, Institute for Cyber Security, University of Electronic Science and Technology of China (UESTC), Chengdu 611731, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5141-3900","authenticated-orcid":true,"given":"Xin-Qiang","family":"Li","sequence":"additional","affiliation":[{"name":"School of Computer Science and Engineering, Institute for Cyber Security, University of Electronic Science and Technology of China (UESTC), Chengdu 611731, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1970-5743","authenticated-orcid":true,"given":"Rui-Dong","family":"Chen","sequence":"additional","affiliation":[{"name":"School of Computer Science and Engineering, Institute for Cyber Security, University of Electronic Science and Technology of China (UESTC), Chengdu 611731, China"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8510-4025","authenticated-orcid":true,"given":"Xiao-Lei","family":"Liu","sequence":"additional","affiliation":[{"name":"Institute of Computer Application, China Academy of Engineering Physics, Mianyang 621900, China"}]}],"member":"311","reference":[{"key":"1","doi-asserted-by":"publisher","DOI":"10.1109\/REW.2019.00032"},{"key":"2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2020.01.032"},{"key":"3"},{"issue":"5","key":"4","article-title":"Selecting prominent api calls and labeling malicious samples for effective malware family classification","volume":"17","author":"C. C. San","year":"2019","journal-title":"International Journal of Computer Science and Information Security (IJCSIS)"},{"key":"5","doi-asserted-by":"publisher","DOI":"10.1109\/IPCCC47392.2019.8958732"},{"key":"6","doi-asserted-by":"publisher","DOI":"10.1155\/2017\/7536381"},{"key":"7","doi-asserted-by":"publisher","DOI":"10.1145\/3003816"},{"first-page":"366","article-title":"Unsupervised detection of apt C &C channels using web request graphs","author":"P. Lamprakis","key":"8"},{"first-page":"1244","article-title":"Clickminer: towards forensic reconstruction of user-browser interactions from network traces","author":"C. Neasbitt","key":"9"},{"article-title":"Stratosphere Lab","year":"2013","author":"Czech Republic","key":"10"},{"article-title":"Contagio malware dump","year":"2019","author":"Milaparkour","key":"11"},{"year":"2019","key":"12","article-title":"Pcap analysis.com"},{"first-page":"527","article-title":"A method based on statistical characteristics for detection malware requests in network traffic","author":"Ke Li","key":"13"},{"key":"14","doi-asserted-by":"publisher","DOI":"10.1109\/access.2018.2846740"},{"key":"15","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2015.01.005"},{"first-page":"326","article-title":"Exploiting temporal persistence to detect covert botnet channels","author":"F. Giroire","key":"16"},{"key":"17","doi-asserted-by":"publisher","DOI":"10.1109\/NCA.2009.56"},{"first-page":"249","article-title":"Automated generation of models for fast and precise detection of http-based malware","author":"A. Zarras","key":"18"},{"first-page":"589","article-title":"Execscent: mining for new c&c domains in live networks with adaptive control protocol templates","author":"N. Terry","key":"19"},{"first-page":"349","article-title":"Botfinder: finding bots in network traffic without deep packet inspection","author":"F. Tegeler","key":"20"},{"first-page":"129","article-title":"Disclosure: detecting botnet command and control servers through large-scale netflow analysis","author":"L. Bilge","key":"21"},{"key":"22","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2013.04.007"},{"first-page":"1","article-title":"Botdetector: a robust and scalable approach toward detecting malware-infected devices","author":"S. Mizuno","key":"23"},{"first-page":"1","article-title":"Using anomaly detection based techniques to detect http-based botnet C & C traffic","author":"M. N. Sakib","key":"24"},{"first-page":"487","article-title":"Botnet detection method based on artificial intelligence","author":"Z. Guo","key":"25"},{"author":"G. Gu","key":"26","article-title":"Botsniffer: detecting botnet command and control channels in network traffic"},{"author":"G. Gu","key":"27","article-title":"Botminer: clustering analysis of network traffic for protocol-and structure-independent botnet detection"},{"year":"2018","key":"28","article-title":"Maximilianhils cortesi. mitmproxy"},{"key":"29","doi-asserted-by":"publisher","DOI":"10.1016\/j.pmcj.2017.03.007"},{"key":"30","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2012.64"},{"key":"31","doi-asserted-by":"publisher","DOI":"10.1109\/DSN.2011.5958260"}],"container-title":["Security and Communication Networks"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/downloads.hindawi.com\/journals\/scn\/2021\/6653386.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/downloads.hindawi.com\/journals\/scn\/2021\/6653386.xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/downloads.hindawi.com\/journals\/scn\/2021\/6653386.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,4,7]],"date-time":"2021-04-07T18:20:37Z","timestamp":1617819637000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.hindawi.com\/journals\/scn\/2021\/6653386\/"}},"subtitle":[],"editor":[{"given":"Huaizhi","family":"Li","sequence":"additional","affiliation":[]}],"short-title":[],"issued":{"date-parts":[[2021,4,7]]},"references-count":31,"alternative-id":["6653386","6653386"],"URL":"https:\/\/doi.org\/10.1155\/2021\/6653386","relation":{},"ISSN":["1939-0122","1939-0114"],"issn-type":[{"type":"electronic","value":"1939-0122"},{"type":"print","value":"1939-0114"}],"subject":[],"published":{"date-parts":[[2021,4,7]]}}}