SpringerLink
Log in

A Review on TLS Encryption Malware Detection: TLS Features, Machine Learning Usage, and Future Directions

  • Conference paper
  • First Online:
Advances in Cyber Security (ACeS 2021)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1487))

Included in the following conference series:

  • 1875 Accesses

Abstract

With the growth of internet encryption to protect users’ privacy, malware has evolved to employ encryption protocols such as TLS/SSL to obfuscate the contents of malicious communications. Unfortunately, decrypting network data before it reaches the signature-based Intrusion Detection System (IDS) to identify TLS-based malware is impractical since it adds infrastructure complexity and compromises user privacy. As a result, various studies have moved to investigate anomaly-based detection without decryption using different TLS features and techniques such as Machine Learning (ML). This paper aims to review TLS-based malware anomaly detection studies and analyze the employment of TLS features and machine learning in these works to understand the field’s current state better. Furthermore, this study highlights the strengths of the related research and offers several recommendations on its shortcomings and TLS features for future effective detection systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 99.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 129.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free ship** worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    “Defining Malware: FAQ | Microsoft Docs”. https://docs.microsoft.com/en-us/previous-versions/tn-archive/dd632948(v=technet.10)?redirectedfrom=MSDN (accessed Apr. 29, 2021).

  2. 2.

    “Malware Statistics & Trends Report | AV-TEST”. https://www.av-test.org/en/statistics/malware/ (accessed Apr. 29, 2021).

  3. 3.

    L. Nagy, “Nearly a quarter of malware now communicates using TLS – Sophos News”, Feb. 18, 2020. https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/ (accessed May 02, 2021).

  4. 4.

    https://virusshare.com/.

  5. 5.

    https://isitphishing.org.

  6. 6.

    https://sslbl.abuse.ch.

  7. 7.

    https://censys.io.

  8. 8.

    https://www.alexa.com.

References

  1. Durumeric, Z., et al.: The security impact of HTTPS interception. In: NDSS (2017). https://doi.org/10.14722/ndss.2017.23456

  2. Kok, S.H., Abdullah, A., Jhanjhi, N.Z., Supramaniam, M.: A review of intrusion detection system using machine learning approach. Int. J. Eng. Res. Technol. 12(1), 8–15 (2019)

    Google Scholar 

  3. Singh, A.P., Singh, M.: A comparative review of malware analysis and detection in HTTPs traffic. Int. J. Comput. Digit. Syst. 10(1), 2210–3142 (2021). https://doi.org/10.12785/ijcds/100111

    Article  Google Scholar 

  4. Understanding malware & other threats - Windows security | Microsoft Docs. https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/understanding-malware. Accessed 20 Sept 2020

  5. What Is the Difference: Viruses, Worms, Trojans, and Bots? https://tools.cisco.com/security/center/resources/virus_differences. Accessed 08 Oct 2020

  6. Gadhiya, S., Bhavsar, K.H.: Techniques for malware analysis. Int. J. Adv. Res. Comput. Sci. Softw. Eng. 3, 2277–3128 (2013)

    Google Scholar 

  7. Jenseg, O.: A machine learning approach to detecting malware in TLS traffic using resilient network features. Master’s thesis, NTNU (2019)

    Google Scholar 

  8. Patrick, N.: The TLS Handshake: taking a closer look - Hashed Out by The SSL StoreTM (2019). https://www.thesslstore.com/blog/explaining-ssl-handshake/. Accessed 08 July 2020

  9. Liu, J., Zeng, Y., Shi, J., Yang, Y., Wang, R., He, L.: Maldetect: a structure of encrypted malware traffic detection. Comput. Mater. Contin. 60(2), 721–739 (2019). https://doi.org/10.32604/cmc.2019.05610

    Article  Google Scholar 

  10. Anderson, B., Paul, S., McGrew, D.: Deciphering malware’s use of TLS (without decryption). J. Comput. Virol. Hack. Tech. 14(3), 195–211 (2017). https://doi.org/10.1007/s11416-017-0306-6

    Article  Google Scholar 

  11. Senecal, D., Kahn, A., Segal, O., et al.: Bot detection in an edge network using Transport Layer Security (TLS) fingerprint. Google Patents (2019)

    Google Scholar 

  12. Anderson, B., McGrew, D.: Leveraging point inferences on HTTP transactions for HTTPS malware detection. Google Patents (2019)

    Google Scholar 

  13. Roques, O., Maffeis, S., Cova, M.: Detecting malware in TLS traffic. Ph.D. diss., Imperial College London (2019)

    Google Scholar 

  14. Calderon, P., Hasegawa, H., Yamaguchi, Y., Shimada, H.: Malware detection based on HTTPS characteristic via machine learning. In: ICISSP 2018 – Proceedings of 4th International Conference on Information Systems Security Privacy, vol. 2018-Janua, no. Icissp, pp. 410–417 (2018). https://doi.org/10.5220/0006654604100417

  15. Zheng, R., et al.: Two-layer detection framework with a high accuracy and efficiency for a malware family over the TLS protocol. PLoS ONE 15(5), e0232696 (2020). https://doi.org/10.1371/journal.pone.0232696

    Article  Google Scholar 

  16. Dai, R., Gao, C., Lang, B., Yang, L., Liu, H., Chen, S.: SSL malicious traffic detection based on multi-view features. In: ACM International Conference on Proceeding Series, pp. 40–46 (2019). https://doi.org/10.1145/3371676.3371697

  17. Bazuhair, W., Lee, W.: Detecting malign encrypted network traffic using perlin noise and convolutional neural network. In: 2020 10th Annual Computing and Communication Workshop and Conference, CCWC 2020, January 2020, pp. 200–206 (2020). https://doi.org/10.1109/CCWC47524.2020.9031116

  18. Prasse, P., Gruben, G., Pevny, T., Sofka, M., Scheffer, T.: Malware detection by HTTPS traffic analysis. Math. Fak. Potsdam Univ. (2017). https://doi.org/10.1109/OCEANS.2001.968684

  19. Puuska, S., Kokkonen, T., Alatalo, J., Heilimo, E.: Anomaly-based network intrusion detection using wavelets and adversarial autoencoders. In: Lanet, J.-L., Toma, C. (eds.) SECITC 2018. LNCS, vol. 11359, pp. 234–246. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12942-2_18

    Chapter  Google Scholar 

  20. Anderson, B., McGrew, D.: Identifying encrypted malware traffic with contextual flow data. In: AISec 2016 - Proceedings of the 2016 ACM Workshop on Artificial Intelligence and Security Co-located with CCS 2016, pp. 35–46 (2016). https://doi.org/10.1145/2996758.2996768

  21. Anderson, B., McGrew, D.: Machine learning for encrypted malware traffic classification: Accounting for noisy labels and non-stationarity. In: Proceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, vol. Part F1296, pp. 1723–1732 (2017). https://doi.org/10.1145/3097983.3098163

  22. Prasse, P., Machlica, L., Pevny, T., Havelka, J., Scheffer, T.: Malware detection by analysing network traffic with neural networks. In: Proceedings of the 2017 IEEE Symposium on Security and Privacy Workshops, SPW 2017, vol. 2017-Decem, pp. 205–210 (2017). https://doi.org/10.1109/SPW.2017.8

  23. Franc, V., Sofka, M., Bartos, K.: Learning detector of malicious network traffic from weak labels. In: Bifet, A., et al. (eds.) ECML PKDD 2015. LNCS (LNAI and LNB), vol. 9286, pp. 85–99. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23461-8_6

    Chapter  Google Scholar 

  24. Bortolameotti, R.: C&C botnet detection over SSL. Master’s thesis, University of Twente (2014)

    Google Scholar 

  25. Strasák, F.: Detection of HTTPS malware traffic. Bachelor’s thesis, Czech Technical University in Prague, pp. 1–49 (2017)

    Google Scholar 

  26. Kato, H., Haruta, S., Sasase, I.: Android malware detection scheme based on level of SSL server certificate. In: 2019 IEEE Global Communications Conference, GLOBECOM 2019 - Proceedings, no. 2, pp. 379–389 (2019). https://doi.org/10.1109/GLOBECOM38437.2019.9013483

  27. Fehrman, B., Woody, E., et al.: Connection information. Google Patents (2020)

    Google Scholar 

  28. Senecal, D., Kahn, A., Segal, O., et al.: Bot detection in an edge network using Transport Layer Security (TLS) fingerprint. Google Patents, vol. 1 (2019)

    Google Scholar 

  29. De Lucia, M. J., Cotton, C.: Detection of Encrypted Malicious Network Traffic using Machine Learning. In: Proceedings of the IEEE Military Communications Conference, MILCOM, vol. 2019-Novem, pp. 1–6 (2019). https://doi.org/10.1109/MILCOM47813.2019.9020856

  30. Torroledo, I., Camacho, L. D., Bahnsen, A. C.: Hunting malicious TLS certificates with deep neural networks. In: Proceedings of the ACM Conference on Computer and Communications Security, pp. 64–73 (2018). https://doi.org/10.1145/3270101.3270105

  31. Kohout, J., Komárek, T., Čech, P., Bodnár, J., Lokoč, J.: Learning communication patterns for malware discovery in HTTPs data. Expert Syst. Appl. 101, 129–142 (2018). https://doi.org/10.1016/j.eswa.2018.02.010

    Article  Google Scholar 

  32. Maroušek, J.: Efficient kNN classification of malware from HTTPS data. Master’s thesis, Charles University, Faculty of Mathematics and Physics (2017)

    Google Scholar 

  33. What is an Extended Validation Certificate? :: What is an Extended Validation Certificate? :: GlobalSign GMO Internet, Inc. https://www.globalsign.com/en/ssl-information-center/what-is-an-extended-validation-certificate. Accessed 08 Oct 2020

  34. Allix, K., Bissyandé, T. F., Klein, J., Le Traon, Y.: AndroZoo: collecting millions of android apps for the research community. In: Proceedings - 13th Working Conference on Mining Software Repositories, MSR 2016, pp. 468–471 (2016). https://doi.org/10.1145/2901739.2903508.

  35. Brownlee, J.: Supervised and unsupervised machine learning algorithms (2016). https://machinelearningmastery.com/supervised-and-unsupervised-machine-learning-algorithms/. Accessed 03 June 2021

  36. Commonly Used Machine Learning Algorithms | Data Science. https://www.analyticsvidhya.com/blog/2017/09/common-machine-learning-algorithms/. Accessed 28 Sept 2020

  37. Kononenko, I., Kukar, M.: Machine Learning and Data Mining. Horwood Publishing (2007)

    Google Scholar 

  38. Yao, B., Li, F., Kumar, P.: K nearest neighbor queries and KNN-joins in large relational databases (almost) for free. In: Proceedings - International Conference on Data Engineering, pp. 4–15 (2010). https://doi.org/10.1109/ICDE.2010.5447837

Download references

Author information

Authors and Affiliations

  1. School of Computer Sciences, Universiti Sains Malaysia, Gelugor, Pulau Pinang, Malaysia

    Kinan Keshkeh, Aman Jantan & Usman Mohammed Gana

  2. Faculty of Computer Sciences and Informatics, Amman Arab University, Amman, Jordan

    Kamal Alieyan

Authors
  1. Kinan Keshkeh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aman Jantan
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kamal Alieyan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Usman Mohammed Gana
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kinan Keshkeh .

Editor information

Editors and Affiliations

  1. Hodeidah University, Hodeidah, Yemen

    Nibras Abdullah

  2. Universiti Sains Malaysia, Penang, Malaysia

    Selvakumar Manickam

  3. Universiti Sains Malaysia, Penang, Malaysia

    Mohammed Anbar

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Keshkeh, K., Jantan, A., Alieyan, K., Gana, U.M. (2021). A Review on TLS Encryption Malware Detection: TLS Features, Machine Learning Usage, and Future Directions. In: Abdullah, N., Manickam, S., Anbar, M. (eds) Advances in Cyber Security. ACeS 2021. Communications in Computer and Information Science, vol 1487. Springer, Singapore. https://doi.org/10.1007/978-981-16-8059-5_13

Download citation

  • DOI: https://doi.org/10.1007/978-981-16-8059-5_13

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-16-8058-8

  • Online ISBN: 978-981-16-8059-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation