Abstract
Network-based intrusion detections become more difficult as Internet traffic is mostly encrypted. This paper introduces a method to detect encrypted malicious traffic based on the Transport Layer Security handshake and payload features without waiting for the traffic session to finish while preserving privacy. Our method, called TLS2Vec, creates words from the extracted features and uses Long Short-Term Memory (LSTM) for inference. We evaluated our method using traffic from three malicious applications and a benign application that we obtained from two publicly available datasets. Our results showed that TLS2Vec is promising as a tool to detect such malicious traffic.
Highlights
Most Internet traffic is encrypted, which can be seen in the number of active certificates issued by Let’s Encrypt [1], Firefox Telemetry [2], and Google transparency report [3]
The traffic encryption prevents a traditional Network Intrusion Detection System (NIDS) from inspecting the payload, which is crucial to determine whether the traffic is benign or malicious
The contribution of this paper is a method for detecting malicious traffic using a TLS session before the conversation finishes between client and server
Summary
Most Internet traffic is encrypted, which can be seen in the number of active certificates issued by Let’s Encrypt [1], Firefox Telemetry [2], and Google transparency report [3] Along with this change, malware has started to TLS to hide its malicious activities. Port-based inspection can classify traffic according to the service name and port number registry assigned by Internet Assigned Number Authority (IANA) [7]. This approach does not work correctly if the application changes to a custom port. The use of flow attributes such as packet length, inter-arrival time, and flow duration makes it unnecessary to dissect the payload and avoid breaching the user’s privacy [12]
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
