Indicators of Malicious SSL Connections

“…Many approaches were proposed to overcome the usage of non-standard port with HTTPS, ranging from behaviour based method to machine learning ones as described below. In spite of that, port 443 is widely used in the large body of literature [5], [10], [16], [29]- [33] to collect and build HTTPS dataset for further experiments.…”

“…Based on their experiments, they can classify 95% of TLS traffic belonging to Google, Facebook and Kakaotalk with about 90% accuracy for the corresponding services. Authors in [10] use the information in SSL certificate like certificate validity, release dates and the content of subject alternative name as features to detect suspicious TLS traffic.…”

“…Bortolameotti et al [10] used both SNI and SSL certificate information to detect malicious TLS connections by examining (1) Levenshtein distance between the SNI and top 100 most visited websites; (2) the structure of the server-name string in SNI; (3) the format of the server-name string, which is a DNS hostname format. In [43], authors evaluate the reliability of identifying HTTPS based on SNI.…”

“…While from the security side, HTTPS makes security monitoring methods unable to understand the traffic and to identify anomalies or malicious activities that can be hidden in encrypted connections [9]. Bortolameotti et al [10] have proposed indicators for malicious HTTPS connections that can be used in Data Exfiltration scenario, where a compromised enterprise's machine transfers sensitive information to an external server controlled by an attacker over a HTTPS channel to circumvent the security monitoring techniques. Therefore, there is a high demand for solutions able to analyse HTTPS traffic.…”

A Survey of HTTPS Traffic and Services Identification Approaches

“…Many approaches were proposed to overcome the usage of non-standard port with HTTPS, ranging from behaviour based method to machine learning ones as described below. In spite of that, port 443 is widely used in the large body of literature [5], [10], [16], [29]- [33] to collect and build HTTPS dataset for further experiments.…”

“…Based on their experiments, they can classify 95% of TLS traffic belonging to Google, Facebook and Kakaotalk with about 90% accuracy for the corresponding services. Authors in [10] use the information in SSL certificate like certificate validity, release dates and the content of subject alternative name as features to detect suspicious TLS traffic.…”

“…Bortolameotti et al [10] used both SNI and SSL certificate information to detect malicious TLS connections by examining (1) Levenshtein distance between the SNI and top 100 most visited websites; (2) the structure of the server-name string in SNI; (3) the format of the server-name string, which is a DNS hostname format. In [43], authors evaluate the reliability of identifying HTTPS based on SNI.…”

“…While from the security side, HTTPS makes security monitoring methods unable to understand the traffic and to identify anomalies or malicious activities that can be hidden in encrypted connections [9]. Bortolameotti et al [10] have proposed indicators for malicious HTTPS connections that can be used in Data Exfiltration scenario, where a compromised enterprise's machine transfers sensitive information to an external server controlled by an attacker over a HTTPS channel to circumvent the security monitoring techniques. Therefore, there is a high demand for solutions able to analyse HTTPS traffic.…”

A Survey of HTTPS Traffic and Services Identification Approaches

“…A group of indicators of malicious connections for SSL was proposed by Riccardo Bortolameotti et al [45], which utilized unencrypted part of SSL. With the help of these indicators, authors found various malicious connections and vulnerable SSL connections to Man-inthe-Middle attacks (MITM).…”

A Comparative Review of Malware Analysis and Detection n HTTPs Traffic

Accuracy Improvement by Occurrence Probability of Service Identification based on SNI