Indicators of malicious SSL connections

Bortolameotti, R.; Peter, A.; Everts, M.H.; Bolzoni, D.

Indicators of malicious SSL connections

bookPart

2015

Bortolameotti, R.

Peter, A.

Everts, M.H.

Bolzoni, D.

Internet applications use SSL to provide data confidentiality to communicating entities. The use of encryption in SSL makes it impossible to distinguish between benign and malicious connections as the content cannot be inspected. Therefore, we propose and evaluate a set of indicators for malicious SSL connections, which is based on the unencrypted part of SSL (i.e., the SSL handshake protocol). We provide strong evidence for the strength of our indicators to identify malicious connections by cross-checking on blacklists from professional services. Besides the confirmation of prior research results through our indicators, we also found indications for a potential (not yet blacklisted) botnet on SSL. We consider the analysis of such SSL threats as highly relevant and hope that our findings stimulate the research community to further study this direction. © Springer International Publishing Switzerland 2015.

Topics

Handshake analysis Malicious connection indicators SSL Network security Data confidentiality Handshake protocol Internet application Professional services Malware

TNO Identifier

531060

Repository link

https://resolver.tno.nl/uuid:7ceb1640-8c8e-4339-a4eb-3c4c56799ed6

Publisher

Springer Verlag

Source title

Network and System Security : 9th International Conference on Network and System Security, NSS 2015, 3-5 November 2015, New York, NY, USA

Editor(s)

Xu, S.
Qiu, M.
Zhang, H.
Yung, M.

Place of publication

Switserland

Pages

162-175

Files

To receive the publication files, please send an e-mail request to TNO Repository.

Indicators of malicious SSL connections

Make TNO yours!