Skip to main content
Springer Nature Link
Log in

Using Features of Encrypted Network Traffic to Detect Malware

  • Conference paper
  • First Online:
Secure IT Systems (NordSec 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12556))

Included in the following conference series:

  • 740 Accesses

Abstract

Encryption on the Internet is as pervasive as ever. This has protected communications and enhanced the privacy of users. Unfortunately, at the same time malware is also increasingly using encryption to hide its operation. The detection of such encrypted malware is crucial, but the traditional detection solutions assume access to payload data. To overcome this limitation, such solutions employ traffic decryption strategies that have severe drawbacks. This paper studies the usage of encryption for malicious and benign purposes using large datasets and proposes a machine learning based solution to detect malware using connection and TLS metadata without any decryption. The classification is shown to be highly accurate with high precision and recall rates by using a small number of features. Furthermore, we consider the deployment aspects of the solution and discuss different strategies to reduce the false positive rate.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Anderson, B., McGrew, D.A.: Identifying encrypted malware traffic with contextual flow data. In: Proceedings of the ACM Workshop on Artificial Intelligence and Security, Vienna, Austria, 28 October 2016, pp. 35–46 (2016)

    Google Scholar 

  2. Anderson, B., Paul, S., McGrew, D.A.: Deciphering malware’s use of TLS (without decryption). J. Comput. Virol. Hacking Tech. 14(3), 195–211 (2018)

    Article  Google Scholar 

  3. Andreasen, F., Wang, E.: TLS 1.3 impact on network-based security. Internet-draft, RFC Editor, July 2019. https://tools.ietf.org/html/draft-camwinget-tls-use-cases-05

  4. Bazuhair, W., Lee, W.: Detecting malign encrypted network traffic using Perlin noise and convolutional neural network. In: 10th Annual Computing and Communication Workshop and Conference, CCWC 2020, Las Vegas, NV, USA, 6–8 January 2020, pp. 200–206. IEEE (2020)

    Google Scholar 

  5. Cisco: Cisco encrypted traffic analytics (2019). https://www.cisco.com/c/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.html

  6. Durumeric, Z., et al.: The security impact of HTTPS interception. In: Proceedings of the 24th Annual Network and Distributed System Security Symposium, NDSS San Diego, California, USA, 26 February–1 March 2017 (2017)

    Google Scholar 

  7. Erquiaga, M.J.: Malware capture facility project MCFP (2019). https://www.stratosphereips.org/datasets-malware

  8. Google: HTTPS encryption on the web. https://transparencyreport.google.com/https/overview. Accessed 29 October 2019

  9. Gu, G., Porras, P.A., Yegneswaran, V., Fong, M.W.: Bothunter: detecting malware infection through IDS-driven dialog correlation. In: Proceedings of the 16th USENIX Security Symposium, Boston, MA, USA, 6–10 August (2007)

    Google Scholar 

  10. Liu, J., Zeng, Y., Shi, J., Yang, Y., Wang, R., He, L.: Maldetect: a structure of encrypted malware traffic detection. Comput. Mat. Continua 60(2), 721–739 (2019)

    Article  Google Scholar 

  11. McGrew, D., Anderson, B., Perricone, P., Hudson, B.: Joy (2019). https://github.com/cisco/joy

  12. Moore, A.W., Zuev, D.: Internet traffic classification using Bayesian analysis techniques. In: Proceedings of the International Conference on Measurements and Modeling of Computer Systems, SIGMETRICS, Alberta, Canada, pp. 50–60 (2005)

    Google Scholar 

  13. Pedregosa, F., et al.: Scikit-learn: machine learning in Python. J. Mach. Learn. Res. 12, 2825–2830 (2011)

    MathSciNet  MATH  Google Scholar 

  14. Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, RFC Editor, August 2018. https://rfc-editor.org/rfc/rfc8446.txt

  15. Rescorla, E., Dierks, T.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246, RFC Editor, August 2008. https://rfc-editor.org/rfc/rfc5246.txt

  16. Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and classification of malware behavior. In: Proceedings of the Detection of Intrusions and Malware, and Vulnerability Assessment DIMVA, Paris, France, pp. 108–125 (2008)

    Google Scholar 

  17. Saltzer, J.H., Reed, D.P., Clark, D.D.: End-to-end arguments in system design. In: Proceedings of the 2nd International Conference on Distributed Computing Systems, Paris, France, 1981. pp. 509–512. IEEE Computer Society (1981)

    Google Scholar 

  18. Sharafaldin, I., Lashkari, A.H., Ghorbani, A.A.: Toward generating a new intrusion detection dataset and intrusion traffic characterization. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy, ICISSP, Funchal, Madeira - Portugal, 22–24 January 2018, pp. 108–116 (2018)

    Google Scholar 

  19. Střasák, F.: Detection of HTTPS malware traffic. https://dspace.cvut.cz/bitstream/handle/10467/68528/F3-BP-2017-Strasak-Frantisek-strasak_thesis_2017.pdf (2017)

  20. Tegeler, F., Fu, X., Vigna, G., Kruegel, C.: BotFinder: finding bots in network traffic without deep packet inspection. In: Proceedings of the Conference on emerging Networking Experiments and Technologies, CoNEXT 2012, Nice, France, 10–13 December, pp. 349–360 (2012)

    Google Scholar 

  21. Wurzinger, P., Bilge, L., Holz, T., Goebel, J., Kruegel, C., Kirda, E.: Automatically generating models for botnet detection. In: Proceedings of the 14th European Symposium on Research in Computer Security ESORICS, Saint-Malo, France, 21–23 September, pp. 232–249 (2009)

    Google Scholar 

  22. Zander, S., Nguyen, T., Armitage, G.: Automated traffic classification and application identification using machine learning. In: Proceedings of the 30th Annual IEEE Conference on Local Computer Networks (LCN), 15–17 November Sydney, Australia, pp. 250–257 (2005)

    Google Scholar 

Download references

Acknowledgment

The work was carried out in the High Quality Networked Services in a Mobile World project funded partly by the Knowledge Foundation of Sweden. The authors are grateful to František Střasák for his help with the understanding and processing of the malware dataset. We would also like to acknowledge Johan Garcia and Topi Korhonen for their feedback on the experiments.

Author information

Authors and Affiliations

  1. KTH Royal Institute of Technology, Stockholm, Sweden

    Zeeshan Afzal

  2. Karlstad University, Karlstad, Sweden

    Zeeshan Afzal, Anna Brunstrom & Stefan Lindskog

  3. SINTEF Digital, Trondheim, Norway

    Stefan Lindskog

Authors
  1. Zeeshan Afzal
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Anna Brunstrom
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stefan Lindskog
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zeeshan Afzal .

Editor information

Editors and Affiliations

  1. Linköping University, Linköping, Sweden

    Mikael Asplund

  2. Linköping University, Linköping, Sweden

    Simin Nadjm-Tehrani

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Afzal, Z., Brunstrom, A., Lindskog, S. (2021). Using Features of Encrypted Network Traffic to Detect Malware. In: Asplund, M., Nadjm-Tehrani, S. (eds) Secure IT Systems. NordSec 2020. Lecture Notes in Computer Science(), vol 12556. Springer, Cham. https://doi.org/10.1007/978-3-030-70852-8_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-70852-8_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-70851-1

  • Online ISBN: 978-3-030-70852-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics