Malware abuses TLS to encrypt its malicious traffic, preventing examination by content signatures and deep packet inspection. Network detection of malicious TLS flows is an important, but challenging, problem. Prior works have proposed supervised machine learning detectors using TLS features. However, by trying to represent all malicious traffic, supervised binary detectors produce models that are too loose, thus introducing errors. Furthermore, they do not distinguish flows generated by different malware. On the other hand, supervised multi-class detectors produce tighter models and can classify flows by malware family, but require family labels, which are not available for many samples. To address these limitations, this work proposes a novel unsupervised approach to detect and cluster malicious TLS flows. Our approach takes as input network traces from sandboxes. It clusters similar TLS flows using 90 features that capture properties of the TLS client, TLS server, certificate, and encrypted payload; and uses the clusters to build an unsupervised detector that can assign a malicious flow to the cluster it belongs to, or determine it is benign. We evaluate our approach using 972K traces from a commercial sandbox and 35M TLS flows from a research network. Our clustering shows very high precision and recall with an F1 score of 0.993. We compare our unsupervised detector with two state-of-the-art approaches, showing that it outperforms both. The false detection rate of our detector is 0.032% measured over four months of traffic.
翻译:磁盘滥用 TLS 来加密其恶意交通,防止通过内容签名和深封封检查进行检查。 网络检测恶意 TLS 流动是一个重要但具有挑战性的问题。 先前的工作曾建议使用 TLS 特性来监督机器学习探测器。 但是, 通过试图代表所有恶意交通, 受监督的二进制探测器生成了松散的模型。 此外, 它们没有区分不同恶意软件生成的流量。 另一方面, 受监督的多级探测器生成了更紧的模型, 并且可以对恶意交易家庭的流动进行分类, 但需要家庭标签, 而许多样本都无法获得这些标签。 为了解决这些限制, 这项工作提出了一种新型的、 不受监督的方法来检测和集中恶意的 TLS 流动。 我们的方法从沙箱中作为输入网络的踪迹。 它将类似的 TLS 流动 90 用来捕捉到 TLS 客户端、 TLS 服务器、 证书和加密有效载荷的特性; 利用集群来构建一个不受控制的探测器, 能够对属于的集群进行恶意流动, 或者确定它是良好的。 我们用从商业沙箱和35MLS 1 级的轨的轨测量方法来评估。