TL;DR
This paper explores how observable features of TLS traffic can be used to detect and attribute malware communications without decrypting the traffic, addressing privacy concerns and evolving malware tactics.
Contribution
It introduces a method to analyze TLS features for malware detection and attribution, demonstrating effectiveness across millions of flows and multiple malware families.
Findings
TLS features differ significantly between malware and benign traffic
Malware families that evolve their TLS usage are harder to classify
Effective rules and machine learning classifiers can distinguish malware based on TLS patterns
Abstract
The use of TLS by malware poses new challenges to network threat detection because traditional pattern-matching techniques can no longer be applied to its messages. However, TLS also introduces a complex set of observable data features that allow many inferences to be made about both the client and the server. We show that these features can be used to detect and understand malware communication, while at the same time preserving the privacy of benign uses of encryption. These data features also allow for accurate malware family attribution of network communication, even when restricted to a single, encrypted flow. To demonstrate this, we performed a detailed study of how TLS is used by malware and enterprise applications. We provide a general analysis on millions of TLS encrypted flows, and a targeted study on 18 malware families composed of thousands of unique malware samples and…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
