To main content

Using Features of Encrypted Network Traffic to Detect Malware

Abstract

Encryption on the Internet is as pervasive as ever. This has protected communications and enhanced the privacy of users. Unfortunately, at the same time malware is also increasingly using encryption to hide its operation. The detection of such encrypted malware is crucial, but the traditional detection solutions assume access to payload data. To overcome this limitation, such solutions employ traffic decryption strategies that have severe drawbacks. This paper studies the usage of encryption for malicious and benign purposes using large datasets and proposes a machine learning based solution to detect malware using connection and TLS metadata without any decryption. The classification is shown to be highly accurate with high precision and recall rates by using a small number of features. Furthermore, we consider the deployment aspects of the solution and discuss different strategies to reduce the false positive rate.

Category

Academic article

Language

English

Author(s)

  • Zeeshan Afzal
  • Brunstrom Anna
  • Stefan Lindskog

Affiliation

  • Karlstad University
  • Royal Institute of Technology
  • SINTEF Digital / Software Engineering, Safety and Security

Year

2021

Published in

Lecture Notes in Computer Science (LNCS)

ISSN

0302-9743

Publisher

Springer

Volume

12556

Page(s)

37 - 53

View this publication at Cristin