User-agent as a Cyber Intrusion Artifact: Detection of APT Activity Using Minimal Anomalies on the User-agent String Traffic
2024
ZEUS Workshop on Services and their Composition
Authors: Badr-Eddine Bouhlal and Tim Sonnekalb and Bernd Gruner and Clemens-Alexander Brust
Abstract: The detection of attacks, especially persistent intrusions, relies on a combination of various artifacts. Despite being manipulable, the user-agent string, a component of HTTP headers, has proven to be a tool for triggering alerts, thereby enhancing detection capabilities. In this paper, we perform a review and analysis of existing malicious user agent strings. We gather relevant data from different sources of threat intelligence and present a dataset of user-agent strings associated with malicious activities gathered from real incident reports. We also propose a categorization of existing user-agent string anomalies with respect to their type (e.g., syntax) and their complexity degree.