DeepTLS: comprehensive and high-performance feature extraction for encrypted traffic

TL;DR

DeepTLS is a high-performance system that extracts comprehensive features from encrypted TLS traffic, significantly speeding up machine learning workflows and outperforming existing tools in analysis speed and certificate detection.

Contribution

DeepTLS introduces a fast, comprehensive feature extraction system for TLS traffic that reduces analysis time and improves detection capabilities compared to prior tools.

Findings

Analyzes GB-sized pcaps in minutes with high efficiency.

Outperforms Joy and Zeek in speed and certificate detection.

Reduces feature extraction time from hours/days to minutes.

Abstract

Feature extraction is critical for TLS traffic analysis using machine learning techniques, which it is also very difficult and time-consuming requiring huge engineering efforts. We designed and implemented DeepTLS, a system which extracts full spectrum of features from pcaps across meta, statistical, SPLT, byte distribution, TLS header and certificates. The backend is written in C++ to achieve high performance, which can analyze a GB-size pcap in a few minutes. DeepTLS was thoroughly evaluated against two state-of-the-art tools Joy and Zeek with four well-known malicious traffic datasets consisted of 160 pcaps. Evaluation results show DeepTLS has advantage of analyzing large pcaps with half analysis time, and identified more certificates with acceptable performance loss compared with Joy. DeepTLS can significantly accelerate machine learning pipeline by reducing feature extraction time from hours even days to minutes. The system is online at https://deeptls.com, where test artifacts can be viewed and validated. In addition, two open source tools Pysharkfeat and Tlsfeatmark are also released.