PETNet: Plaintext-aware encrypted traffic detection network for identifying Cobalt Strike HTTPS traffics

Abstract

Cobalt Strike is the most prevalent attack tool abused by cyber-criminals to achieve command and control on victim hosts over HTTPS traffics. It appears in many ransomware attacks and espionage attacks, threatening public privacy and national security. Therefore, it is of significant value to detect Cobalt Strike HTTPS traffics effectively. However, existing methods could be easily deceived by variable infrastructures or disguised certificates used by attackers, or do not adequately capture the multi-aspect information and their interrelations in encrypted traffics. To overcome these limitations, in this paper, we propose a Plaintext-aware Encrypted Traffic Detection Network (PETNet) to identify Cobalt Strike HTTPS traffics, which contains three main modules: (1) Meta Information Modeling, which parses handshake payloads into semantically explicit identity-agnostic meta features, avoiding being disturbed by infrastructures or certificates; (2) Sequential Information Modeling, which models the interaction between attackers and victims via a Transformer encoder, and captures the interrelations among multi-aspects of traffics by a meta-information-guided attention mechanism, realizing configuration-aware encoding of encrypted contents; (3) Fusion & Prediction, which fuses the interrelated meta information and sequential information to make the final prediction. We conduct extensive experiments on a close-world and four open-world datasets. PETNet outperforms the best baseline by 53.42% in F1-score on average, and remains robust to the concept drift issue during the test period of 14 months, proving its effectiveness and generalization ability.