Most malware uses HTTP/HTTPS to call home or install other parts of a malicious action. Since thousands and thousands of samples appear daily, it is almost impossible to create signatures to dectect all malicious activities.
Based on this problem, we started to analyze common headers and behaviors for malicious connections based on Spiderlabs research analysis and lot of packet captures from various sources. With that info, we scored each header in an HTTP request and based that score on the frequency that it appears, blacklisting, and a few other tricks.
Our goal with this initial presentation and PoC is to show that we can score HTTP headers as a way to find malicious activity in HTTP/HTTPS traffic.