Affiliation:
1. IMDEA Software Institute, Universidad Politécnica de Madrid, Madrid, Spain
2. Norton Research Group, Paris, France
3. University of Genoa, Genoa, Italy
4. IMDEA Software Institute, Madrid, Spain
Abstract
Malware abuses TLS to encrypt its malicious traffic, preventing examination by content signatures and deep packet inspection. Network detection of malicious TLS flows is important, but it is a challenging problem. Prior works have proposed supervised machine learning detectors using TLS features. However, by trying to represent all malicious traffic, supervised binary detectors produce models that are too loose, thus introducing errors. Furthermore, they do not distinguish flows generated by different malware. On the other hand, supervised multiclass detectors produce tighter models and can classify flows by the malware family but require family labels, which are not available for many samples. To address these limitations, this work proposes a novel unsupervised approach to detect and cluster malicious TLS flows. Our approach takes input network traces from sandboxes. It clusters similar TLS flows using 90 features that capture properties of the TLS client, TLS server, certificate, and encrypted payload and uses the clusters to build an unsupervised detector that can assign a malicious flow to the cluster it belongs to, or determine if it is benign. We evaluate our approach using 972K traces from a commercial sandbox and 35M TLS flows from a research network. Our clustering shows very high precision and recall with an F1 score of 0.993. We compare our unsupervised detector with two state-of-the-art approaches, showing that it outperforms both. The false detection rate of our detector is 0.032% measured over four months of traffic.
Subject
Computer Networks and Communications,Information Systems
Reference43 articles.
1. TLS beyond the browser: combining end host and network data to understand application behavior;B. Anderson
2. Coming of age: a Longitudinal Study of TLS Deployment, Longitudinal Study of TLS Deployment;P. Kotzias
3. Nearly a Quarter of Malware Now Communicates Using TLS;L. Nagy,2020
4. Man-in-the-Middle Attack to the HTTPS Protocol
5. Identifying encrypted malware traffic with contextual flow data;A. Blake
Cited by
3 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献