What is it about?
TLS is the de facto standard for encrypted communication on the internet. In order to be established from two servers, a mutual agreement is needed on some encryption parameters. This provides the opportunity of distinguishing a server among others based on these parameter selection and extracting some behavior pattern. This process can be optimized by Machine Learning and lead to a highly successful server classification. In our work, we collect a 5-month period dataset containing traffic from both benign and malicious servers and we investigate which features make this classification possible.
Featured Image
Photo by benjamin lehman on Unsplash
Why is it important?
As of October 2020, more than 90% of Internet traffic is communicated over TLS. Based on the TLS Telemetry Report in 2021 (https://www.f5.com/labs/articles/threat-intelligence/the-2021-tls-telemetry-report), TLS 1.3 has become the preferred protocol for 63% of the top 1 million web servers on the Internet. WatchGuard observed in 2021 that 91.5% of malware is delivered through encrypted channels (https://www.watchguard.com/wgrd-news/press-releases/watchguard-threat-lab-reports-915-malware-arrived-over-encrypted). To identify these malicious servers and prevent malware threats we need to analyze the TLS protocol and extract patterns that distinguish these servers.
Read the Original
This page is a summary of: Fingerprinting the Shadows: Unmasking Malicious Servers with Machine Learning-Powered TLS Analysis, May 2024, ACM (Association for Computing Machinery),
DOI: 10.1145/3589334.3645719.
You can read the full text:
Contributors
The following have contributed to this page
