Skip to main content
SpringerLink
Log in

Indicators of Malicious SSL Connections

  • Conference paper
  • First Online:
Network and System Security (NSS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9408))

Included in the following conference series:

Abstract

Internet applications use SSL to provide data confidentiality to communicating entities. The use of encryption in SSL makes it impossible to distinguish between benign and malicious connections as the content cannot be inspected. Therefore, we propose and evaluate a set of indicators for malicious SSL connections, which is based on the unencrypted part of SSL (i.e., the SSL handshake protocol). We provide strong evidence for the strength of our indicators to identify malicious connections by cross-checking on blacklists from professional services. Besides the confirmation of prior research results through our indicators, we also found indications for a potential (not yet blacklisted) botnet on SSL. We consider the analysis of such SSL threats as highly relevant and hope that our findings stimulate the research community to further study this direction.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Holz, R., Braun, L., Kammenhuber, N., Carle, G.: The SSL landscape: a thorough analysis of the X.509 PKI using active and passive measurements. In: SIGCOMM IMC 2011, pp. 427–444. ACM (2011)

    Google Scholar 

  2. Amann, B., Vallentin, M., Hall, S., Sommer, R.: Revisiting SSL: A Large-Scale Study of the Internets Most Trusted Protocol. Technical Report 2012, ICSI (2012)

    Google Scholar 

  3. Amann, B., Sommer, R., Vallentin, M., Hall, S.: No attack necessary: the surprising dynamics of SSL trust relationships. In: ACSAC 2013, pp. 179–188. ACM (2013)

    Google Scholar 

  4. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the world: validating SSL certificates in non-browser software. In: CCS 2012, pp. 38–49. ACM (2012)

    Google Scholar 

  5. Fahl, S., Harbach, M., Muders, T., Baumgrtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android SSL (in) security. In: CCS 2012, pp. 50–61. ACM (2012)

    Google Scholar 

  6. Conti, M., Dragoni, N., Gottardo, S.: MITHYS: mind the hand you shake - protecting mobile devices from SSL usage vulnerabilities. In: Accorsi, R., Ranise, S. (eds.) STM 2013. LNCS, vol. 8203, pp. 65–81. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  7. Pukkawanna, S., Kadobayashi, Y., Blanc, G., Garcia-Alfaro, J., Debar, H.: Classification of SSL servers based on their SSL handshake for automated security assessment. In: BADGERS 2014 (to appear 2014)

    Google Scholar 

  8. Bates, A., Pletcher, J., Nichols, T., Hollembaek, B., Tian, D., Butler, K.R., Alkhelaifi, A.: Securing SSL certificate verification through dynamic linking. In: CCS 2014, pp. 394–405. ACM (2014)

    Google Scholar 

  9. Holz, R., Riedmaier, T., Kammenhuber, N., Carle, G.: X.509 forensics: detecting and localising the SSL/TLS men-in-the-middle. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 217–234. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  10. Clark, J., van Oorschot, P.C.: SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In: Symposium on Security and Privacy (SP) 2013, pp. 511–525. IEEE (2013)

    Google Scholar 

  11. Antonakakis, M., Perdisci, R., Nadji, Y., Vasiloglou II, N., Abu-Nimeh, S., Lee, W., Dagon, D.: From throw-away traffic to bots: detecting the rise of DGA-based malware. In: USENIX Security Symposium, pp. 491–506. USENIX

    Google Scholar 

  12. Paxson, V.: Bro: a system for detecting network intruders in real-time. In: USENIX Security. USENIX (1998)

    Google Scholar 

  13. Wang, K., Parekh, J.J., Stolfo, S.J.: Anagram: a content anomaly detector resistant to mimicry attack. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 226–248. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  14. Schiavoni, S., Maggi, F., Cavallaro, L., Zanero, S.: Phoenix: DGA-based botnet tracking and intelligence. In: Dietrich, S. (ed.) DIMVA 2014. LNCS, vol. 8550, pp. 192–211. Springer, Heidelberg (2014)

    Google Scholar 

  15. RFC6066. Internet Engineering Task Force (IETF). Transport Layer Security (TLS) Extensions: Extension Definitions. https://tools.ietf.org/html/rfc6066

  16. ThreatStop Check IP service. http://www.threatstop.com/checkip

  17. Tcpdump & Libpcap. http://www.tcpdump.org/

  18. RFC5246. Internet Engineering Task Force (IETF). The Transport Layer Security (TLS) Protocol Version 1.2 - The TLS Handshaking Protocols. https://tools.ietf.org/html/rfc5246#section-7

Download references

Author information

Authors and Affiliations

  1. University of Twente, Enschede, The Netherlands

    Riccardo Bortolameotti, Andreas Peter, Maarten H. Everts & Damiano Bolzoni

  2. Netherlands Organisation for Applied Scientific Research (TNO), Groningen, The Netherlands

    Maarten H. Everts

  3. SecurityMatters, Eindhoven, The Netherlands

    Damiano Bolzoni

Authors
  1. Riccardo Bortolameotti
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Andreas Peter
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Maarten H. Everts
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Damiano Bolzoni
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Riccardo Bortolameotti .

Editor information

Editors and Affiliations

  1. Apt. 2A, NEW YORK, New York, USA

    Meikang Qiu

  2. University of Texas, San Antonio, Texas, USA

    Shouhuai Xu

  3. Dept. of Computer Science, Columbia University, New York, New York, USA

    Moti Yung

  4. University of Otago, Dunedin, New Zealand

    Haibo Zhang

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Bortolameotti, R., Peter, A., Everts, M.H., Bolzoni, D. (2015). Indicators of Malicious SSL Connections. In: Qiu, M., Xu, S., Yung, M., Zhang, H. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science(), vol 9408. Springer, Cham. https://doi.org/10.1007/978-3-319-25645-0_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-25645-0_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-25644-3

  • Online ISBN: 978-3-319-25645-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation